Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

SSL protect on some directories with mod_rewrite

I have a apache website that I need some directories protected by ssl. So I got the certificate etc... Now I have two virtual hosts, one that is the unsecure and one that is the secure. There are only a few directories that I need secured by ssl.

for example:
http://www.some.domain.name.com/distance/register/
http://www.some.domain.name.com/registrar/request/

So to get those directories secured I put this mod_rewrite code into the unsecure httpd.conf file.


<Directory /var/www/www/distance >
                        RewriteEngine On
                        RewriteBase /
                        RewriteCond %{REQUEST_FILENAME} -f [OR]
                        RewriteCond %{REQUEST_FILENAME} -d
                        RewriteRule ^register/(.*) https://www.some.domain.com/distance/register/$1 [C]
        </Directory>

        <Directory /var/www/www/registrar >
                        RewriteEngine On
                        RewriteBase /
                        RewriteCond %{REQUEST_FILENAME} -f [OR]
                        RewriteCond %{REQUEST_FILENAME} -d
                        RewriteRule ^request/(.*) https://www.some.domain.com/registrar/request/$1 [C]
     </Directory>


This works great.

The problem is that once people have viewed those pages that are in those secure directories the rest of the pages they view on the site are on the secure site. I would like to have a rewriterule in the secure virtual host to check if they are not in one of those directories and redirect them back to the unsecure site.

I've been banging my head trying to get this and I can't figure it out. (I'm new to regular expressions and mod_rewrite). I keep getting redirected back and forth until the browser tells me "Too many redirects." or some such error.

Here's what I have so far for the secure virtual host, but again, it doesn't seem to work.

RewriteEngine On
RewriteRule !^register(.*) - [C]
RewriteRule ^/(.*) http://www.some.domain.com/$1 [L]
RewriteRule !^registrar/request/(.*) - [C]
RewriteRule ^/(.*) http://www.some.domain.com/$1 [L]


Could someone tell me what I'm doing wrong?

Do I need to put the secure rewrite rules in a <Directory> structure.

Thank you.
0
umfkit
Asked:
umfkit
1 Solution
 
sleep_furiouslyCommented:
In general, if you don't know what mod_rewrite is doing or why it is doing it, detailed logging can help.  (But be sure to enable this only temporarily for debugging; it logs a lot at higher levels.)

  RewriteLog logs/rewrite.log
  RewriteLogLevel 9

In this particular case, I suspect what is happening is that your SSL vhost does not have any Directory sections, so the rules that you have set up there still apply for those directory paths on the SSL vhost.

You might try putting in your SSL virtual host:

   <Directory /var/www/www/distance >
   </Directory>

   <Directory /var/www/www/registrar >
   </Directory>

to override the server-wide settings.  Or even:

   <Directory /var/www/www/distance >
      RewriteEngine Off
   </Directory>

   <Directory /var/www/www/registrar >
      RewriteEngine Off
   </Directory>

In general, RewriteRule set in the main server config are not inherited by virtual hosts (unless RewriteOption inherit is set).  For <Directory> sections, the "inherit" option controls whether or not settings are inherited from a parent directory.  In the case you have given, I am unsure about the interaction between the vhost inheriting the whole <Directory> section and the general rule that RewriteRule is not inherited by virtual hosts from the main config.  In your case, I suspect the virtual host has inherited the <Directory> sections from the main server config.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now