SSL disabled when "s" in "https" is removed

**jclim** · 01-31-2011

Hi all,

I have the following web content subdirectory structure:

My domain is www(dot)example(dot)com

My document root is /www/example.com/

I have two subdirectories under the document root, namely, vacation and home, which I want SSL enabled. Also whenever I removed 's' from 'https', SSL get disabled.

My SSL certificate is registered under www(dot)example(dot)com and somehow, my document root contents, excluding vacation and home, always get SSL enabled which should not be.

Here is my apache httpd.conf settings:

<VirtualHost www(dot)example(dot)com:80>
DocumentRoot /www/example.com
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/vacation$ https://www(dot)example(dot)com/vacation/$1 [R]
RewriteRule ^/home$ https://www(dot)example(dot)com/home/$1 [R]
</VirtualHost>

<VirtualHost www(dot)example(dot)com:443>
DocumentRoot /www/example.com
SSLEngine on
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCACertificateFile ...
<Directory /www/example.com/vacation>
SSLOptions +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>

<Directory /www/example.com/home>
SSLOptions +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>
</VirtualHost>

Is there anything wrong?

Thanks in advance!

**Kloschüssel** · 01-31-2011

you've got there two rewrite rules that force the protocol to be https.

**jclim** · 02-01-2011

Thanks for your response. Somehow, this setup does not maintain the SSL connection when 's' is removed from https. Can you offer some advices on the regular expression composition?

**Kloschüssel** · 02-01-2011

I don't even understand why it should be there.

Why is it important that users who access ^/vacation or ^/home are forced to use ssl and are not allowed to freely decide whether they want ssl or not?

**Lazydog** · 02-01-2011

Originally Posted by Kloschüssel

I don't even understand why it should be there.

Why is it important that users who access ^/vacation or ^/home are forced to use ssl and are not allowed to freely decide whether they want ssl or not?

How many users do you know that really understand security or know what they need?
I can understand the OP wanting SSL only connections.

**Kloschüssel** · 02-01-2011

... sure ... but jclim is the op and I hope that he knows what he is doing.

even if - without offense - i'm not sure at all when i come thinking about it.

therefore these decisions are OT (off topic) for everyone but jclim.

**jclim** · 02-02-2011

Hi guys!

Well, the names are hypothetical but the situation is how it is in my workplace. I was left or was handed down with this awkward setup and as you guys know, as sysads, we need to make things work no matter what.

the reason i need those two subdirectories SSL enabled is both contain a fairly huge information system which needs traffic to be encrypted. I know it's odd to put them in subdirectories rather than subdomain the reason being our systems are really messy and i am currently doing some needed cleanup.

but again, returning to my previous question, why does removing 's' in https disables SSL, something wrong with my regex in my rewrite rules?

**Kloschüssel** · 02-02-2011

ok, i think i got your problem now. you expect the redirect rule to redirect requests coming with http to https by matching the request port <> 443.

RewriteCond %{SERVER_PORT} !^443$

so this line may be wrong, use the variable HTTPS instead and match for the strings "on", "off". read here

and it should read like this:

RewriteCond W X
RewriteRule Y Z

RewriteCond W X
RewriteRule O P

instead of:

RewriteCond W X
RewriteRule Y Z
RewriteRule O P

Thread Tools

Display

SSL disabled when "s" in "https" is removed

Posting Permissions