apache2 redirecting https to http

Question

[tl;dr] Why is apache redirecting https that has gone through rewrite engine to http

I have a site that is redirecting some pages (only ones that have been through rewrites) from https to http.

Including rewrite log on the ssl config does not show anything, no rewrite etc.

the redirect is happening before it gets to php, so there cant be any header() calls doing it. I have checked anyway and its not the case. (its in house software, simple 4 file php app)

Searching google is tricky, as all I can find is tutorials on redirecting http->https :(

version

Server Version: Apache/2.2.22 (Debian) PHP/5.5.14-1~dotdeb.1 mod_ssl/2.2.22 OpenSSL/1.0.1e
Server Built: Jun 16 2014 03:51:14

Apache config below, remove actual ips etc.

<VirtualHost <ip>:80>
    ServerName <domain>.co.uk

    DocumentRoot <root>
    php_value include_path .:<root>/include
    php_value auto_prepend_file <root>/include/header.php
    php_value auto_append_file <root>/include/footer.php

    Include <path>/secure.rewrite.conf
    Include <path>/rewrite.conf
</VirtualHost>

<VirtualHost <ip>:443>
    ServerName <domain>.co.uk

    DocumentRoot <root>
    php_value include_path .:<root>/include
    php_value auto_prepend_file <root>/include/header.php
    php_value auto_append_file <root>/include/footer.php

    Include <path>/rewrite.conf

    Include <path>ssl.conf

    SSLCertificateKeyFile   <cert>.key
    SSLCertificateFile      <cert>.crt
    SSLCertificateChainFile <cert>.ca-bundle
</VirtualHost>

secure.rewrite.conf

RewriteEngine On
RewriteCond %{SERVER_PORT} ^80
RewriteRule ^/login https://%{HTTP_HOST}%{REQUEST_URI} [L,R]

rewrite.conf

RewriteRule ^/dir/forgot_password/(.*)                            /dir/forgot_details.php?hash=$1                  [L,QSA]
RewriteRule ^/dir/forgot_password                                 /dir/forgot_details.php                          [L,QSA]
RewriteRule ^/dir/login                                           /dir/login.php                                   [L,QSA]
RewriteRule ^/dir/logout                                          /dir/login.php?logout=1                          [L,QSA]
RewriteRule ^/dir/settings                                        /dir/settings.php                                [L,QSA]
RewriteRule ^/dir/(PO|EC)\.([A-Za-z0-9\.]+)/despatchnote/print    /dir/despatch_note.php?encore_id=$1\.$2&print=1  [L,QSA]
RewriteRule ^/dir/(PO|EC)\.([A-Za-z0-9\.]+)/despatchnote          /dir/despatch_note.php?encore_id=$1\.$2          [L,QSA]
RewriteRule ^/dir/(PO|EC)\.([A-Za-z0-9\.]+)/print                 /dir/view.php?encore_id=$1\.$2&print=1           [L,QSA]
RewriteRule ^/dir/(PO|EC)\.([A-Za-z0-9\.]+)/action                /dir/view.php?encore_id=$1\.$2&action=1          [L,QSA]
RewriteRule ^/dir/(PO|EC)\.([A-Za-z0-9\.]+)                       /dir/view.php?encore_id=$1\.$2                   [L,QSA]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
RewriteRule ^ <root>/webroot/index.php [L]

ssl.conf

SSLEngine on
<Directory /public/*/htdocs>
    SSLRequireSSL
</Directory>
SSLProtocol         all -SSLv2 -SSLv3
SSLCipherSuite      "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA 3DES RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS +3DES 3DES +RC4 RC4"
SSLHonorCipherOrder on
SSLCompression      off

did you try to turn on rewrite logs, and set log level to 7 or more — Sverre, Jul 16 '14 at 09:48
I find it useful to test with 'curl -I https://...' when troubleshooting redirect issues. Also useful for spotting occasions where it's the application, rather than the web server, issuing the redirect. If you could post some such test cases, that would help us in understanding your problem more. — Cameron Kerr, Jul 16 '14 at 11:40
Thanks for the input, as I said the rewrite logs were empty for https requests (see my answer below for the reason). And curl was being used, as its nice to see just the headers. Good tip anyhow. — dogmatic69, Jul 16 '14 at 19:45

score 0 · Answer 1 · answered Jul 16 '14 at 19:44

Ok, found out the issue.

That specific config did not have RewriteEngine on in the config, it was working without https because somewhere along the line the http config was starting rewrites.

The redirect was coming from apache not finding anything (because it was meant to be rewritten to an actual file, but was not) and then serving the 404 page which somehow redirected to the http version.

This is why requests for actual files worked, because the 404 error did not happen as apache was able to serve the files.

Best to have the pesky RewriteEngin On call somewhere global so its either always on or always off..

apache2 redirecting https to http

version

secure.rewrite.conf

rewrite.conf

ssl.conf

1 Answers1