José Méndez
asked on
Apache - http requests redirected to https
Hello Experts.
I am trying to provision a Cisco Phone with an Apache server, which is an Elastix install (www.elastix.org, a FreePBX-Asterisk based CentOS distro). My problem is that I can´t seem to handle HTTP requests accordingly. Every time the phone requests a file, the server replies with a 302 and a Location line pointing to https.
I configured a virtual host according to Apache´s Documentation, and netstat -atnp shows port 6970 for my IP just fine.
How can I stop Apache from redirecting to secure http and serve the file instead? Also, how can I intensify debugging of these transactions?
Attaching the httpd.conf and a packet capture log of the transaction. 0.7 is the IP of the elastix box, 0.4 is the Cisco phone. Note that the request is embedded in the TCP segments, starting on Frame 5 of the packet capture.
Many thanks in advance. cipcreg-elastix httpd.conf.txt
I am trying to provision a Cisco Phone with an Apache server, which is an Elastix install (www.elastix.org, a FreePBX-Asterisk based CentOS distro). My problem is that I can´t seem to handle HTTP requests accordingly. Every time the phone requests a file, the server replies with a 302 and a Location line pointing to https.
I configured a virtual host according to Apache´s Documentation, and netstat -atnp shows port 6970 for my IP just fine.
How can I stop Apache from redirecting to secure http and serve the file instead? Also, how can I intensify debugging of these transactions?
Attaching the httpd.conf and a packet capture log of the transaction. 0.7 is the IP of the elastix box, 0.4 is the Cisco phone. Note that the request is embedded in the TCP segments, starting on Frame 5 of the packet capture.
Many thanks in advance. cipcreg-elastix httpd.conf.txt
Nothing in your httpd.conf is redirecting the clients - do you have a .htaccess file in //var/www/html/cisco (or /var/www/html) containing a RewriteRule?
ASKER
I don´t see that file in the folders indicated, only this:
[root@elastix ~]# find / -iname "*.htaccess*"
/var/www/html/admin/module s/framewor k/htdocs/a dmin/modul es/.htacce ss
/var/www/html/admin/module s/.htacces s
/var/www/html/mail/logs/.h taccess
/var/www/html/mail/temp/.h taccess
/var/www/html/mail/config/ .htaccess
/var/www/html/a2billing/ap i/.htacces s
/var/www/html/a2billing/li b/.htacces s
/var/www/html/a2customer/l ib/.htacce ss
[root@elastix ~]# find / -iname "*.htaccess*" | xargs grep -i rewrite
Was grepping for the word rewrite a good choice, or should I look for a different string?
Thanks for the help
[root@elastix ~]# find / -iname "*.htaccess*"
/var/www/html/admin/module
/var/www/html/admin/module
/var/www/html/mail/logs/.h
/var/www/html/mail/temp/.h
/var/www/html/mail/config/
/var/www/html/a2billing/ap
/var/www/html/a2billing/li
/var/www/html/a2customer/l
[root@elastix ~]# find / -iname "*.htaccess*" | xargs grep -i rewrite
Was grepping for the word rewrite a good choice, or should I look for a different string?
Thanks for the help
No, that find/grep is perfect, and would've exposed it if it existed. That is really strange, I practically would've bet money on it being a htaccess redirector.
Alright, please grep for "header" in any html/php files in the web root - specifically something like header("Location: https://xxxx"); where the xxxx part would be something like $_SERVER["HTTP_HOST"]/$_SE RVER["$REQ UEST_URI"]
Alright, please grep for "header" in any html/php files in the web root - specifically something like header("Location: https://xxxx"); where the xxxx part would be something like $_SERVER["HTTP_HOST"]/$_SE
ASKER
grepping.....
meanwhile, do you know if it is possible/helpful to intensify the debugging to understand how this is happening?
meanwhile, do you know if it is possible/helpful to intensify the debugging to understand how this is happening?
I don't know of any way for Apache to get more granular in the logs than just reporting that the redirect occurred.
I gather it's probably in the actual site code if it's not in the server config or in the .htaccess files. Just for grins though, you might peek in /etc/httpd/conf.d and make sure Elastix doesn't put any of its own files to be included in there that might have RewriteRule directives in them.
I gather it's probably in the actual site code if it's not in the server config or in the .htaccess files. Just for grins though, you might peek in /etc/httpd/conf.d and make sure Elastix doesn't put any of its own files to be included in there that might have RewriteRule directives in them.
ASKER
These are the files I can see in that directory:
[root@elastix conf.d]# ls
elastix.conf php.conf README welcome.conf
mailman.conf proxy_ajp.conf ssl.conf
[root@elastix conf.d]#
None contains rewrite directives.... Any ideas ? =(
You mentioned the code of the site, you mean like the PHP code?
[root@elastix conf.d]# ls
elastix.conf php.conf README welcome.conf
mailman.conf proxy_ajp.conf ssl.conf
[root@elastix conf.d]#
None contains rewrite directives.... Any ideas ? =(
You mentioned the code of the site, you mean like the PHP code?
Yes, the php code. Did you find any header() directives when grepping?
ASKER
No header() directives anywhere unfortunately.
I got this reply on another forum, I am barely digesting the indications though:
I got this reply on another forum, I am barely digesting the indications though:
i never spoken about provisioning but just a Cisco phone wanting to connect to an URL for any thing.
For example, when a Cisco 7960 want to download a logo from an Elastix server, this function is impossible because apache switch to https.
So, in this case, you must enable the http or only on some folders to be connected on http and the others on https.
That turn around this into httpd.conf:
Order allow,deny
Allow from all
RewriteEngine off or on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !(/xmlservices/*)
RewriteCond %{REQUEST_URI} !(/images/bmp/*)
RewriteRule (.*) %{HTTP_HOST}%{REQUEST_URI}
Don't forget to restart httpd.
# service httpd restart
I'm trying to understand it too. The rule says to take non-SSL requests for anything except /xmlservices/ and /images/bmp/ and then just take them to their original destination. That doesn't make sense to me, since I'm looking for where it takes all non-SSL requests to the SSL site so that it can be disabled. Having warring rulesets doesn't sounds like my idea of a good time :)
ASKER
I was trying to follow the instructions above, got some interesting results. Instead of a 302 redirecting to HTTPS, I get a 500 internal server error whit the following snippet right below the line "Order allow,deny" in httpd.conf:
RewriteEngine on --> I assume it must be turned on
RewriteCond %{HTTP_USER_AGENT} ^CIPC --> this is the User-Agent value that appears in the captures
RewriteRule (.*) %{HTTP_HOST}%{REQUEST_URI} --> this is what the other guy suggested
I am not to sure if the RewriteRule is correct, but for sure, is the snippet the one causing the 500 error, if I remove it then the 302 comes back.
Now, if I set up an Alias just like the one setup for the icons folder in httpd.conf, pointing to my cisco folder, then I can pull any file inside without being redirected. Not sure how that helps though...
xterm, do you know why if I only use the first two lines of the snippet in the general context the file is then served as I want to, and even looked up in the document root for the virtual host I configured instead of the DocumentRoot? As follows:
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^CIPC
RewriteEngine on --> I assume it must be turned on
RewriteCond %{HTTP_USER_AGENT} ^CIPC --> this is the User-Agent value that appears in the captures
RewriteRule (.*) %{HTTP_HOST}%{REQUEST_URI}
I am not to sure if the RewriteRule is correct, but for sure, is the snippet the one causing the 500 error, if I remove it then the 302 comes back.
Now, if I set up an Alias just like the one setup for the icons folder in httpd.conf, pointing to my cisco folder, then I can pull any file inside without being redirected. Not sure how that helps though...
xterm, do you know why if I only use the first two lines of the snippet in the general context the file is then served as I want to, and even looked up in the document root for the virtual host I configured instead of the DocumentRoot? As follows:
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^CIPC
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks a lot, I will answer your questions as soon as possible during work, or ultimately when I come back to my home lab, really appreciate the help.
ASKER
When putting the RewriteRule, I am getting 13 of these lines in the dummy-host.example.com-err or_log
Setting the LogLevel to debug catches this line several times:
The /dummy-host.example.com-ac cess_log show this with the RewriteRule in the config file:
And something like this without the RewriteRule:
The files with error 404 are really not there, so its expected.
The code is not Cisco, only the HTTP client.
Grepping for https under /var returns lots of lines, some of which look suspicious of redirecting my traffic! Could you please tell me how a meta-refresh tag looks like? The output is attached, I can provide more details about any suspicious file elastix-putty.log
[Wed Nov 09 23:05:36 2011] [client 192.168.0.4] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
Setting the LogLevel to debug catches this line several times:
[Wed Nov 09 23:08:20 2011] [debug] core.c(3059): [client 192.168.0.4] redirected from r->uri = /var/www/html/192.168.0.7: 6970/var/w ww/html/19 2.168.0.7: 6970/var/w ww/html/19 2.168.0.7: 6970/var/w ww/html/19 2.168.0.7: 6970/var/w ww/html/19 2.168.0.7: 6970/var/w ww/html/19 2.168.0.7: 6970/var/w ww/html/19 2.168.0.7: 6970/var/w ww/html/19 2.168.0.7: 6970/var/w ww/html/19 2.168.0.7: 6970/SK72f 64050-7ad5 -4b47-9bfa -5e9ad9cd4 aa9.xmll
The /dummy-host.example.com-ac
192.168.0.4 - - [09/Nov/2011:23:08:19 -0600] "GET /ip-com1.cnf.xml HTTP/1.1" 500 628
192.168.0.4 - - [09/Nov/2011:23:08:20 -0600] "GET /CTLSEPip-com1.tlv HTTP/1.1" 500 628
192.168.0.4 - - [09/Nov/2011:23:08:20 -0600] "GET /SK72f64050-7ad5-4b47-9bfa -5e9ad9cd4 aa9.xml HTTP/1.1" 500 628
192.168.0.4 - - [09/Nov/2011:23:08:20 -0600] "GET /CTLSEPip-com1.tlv HTTP/1.1" 500 628
192.168.0.4 - - [09/Nov/2011:23:08:20 -0600] "GET /SK72f64050-7ad5-4b47-9bfa
And something like this without the RewriteRule:
192.168.0.4 - - [09/Nov/2011:23:15:54 -0600] "GET /CTLSEPip-com1.tlv HTTP/1.1" 404 293
192.168.0.4 - - [09/Nov/2011:23:15:54 -0600] "GET /ip-com1.cnf.xml HTTP/1.1" 200 9964
192.168.0.4 - - [09/Nov/2011:23:15:55 -0600] "GET /English_United_States/CIP C_Locale.l oads HTTP/1.1" 404 315
192.168.0.4 - - [09/Nov/2011:23:16:00 -0600] "GET /CTLSEPip-com1.tlv HTTP/1.1" 404 293
192.168.0.4 - - [09/Nov/2011:23:15:54 -0600] "GET /ip-com1.cnf.xml HTTP/1.1" 200 9964
192.168.0.4 - - [09/Nov/2011:23:15:55 -0600] "GET /English_United_States/CIP
192.168.0.4 - - [09/Nov/2011:23:16:00 -0600] "GET /CTLSEPip-com1.tlv HTTP/1.1" 404 293
The files with error 404 are really not there, so its expected.
The code is not Cisco, only the HTTP client.
Grepping for https under /var returns lots of lines, some of which look suspicious of redirecting my traffic! Could you please tell me how a meta-refresh tag looks like? The output is attached, I can provide more details about any suspicious file elastix-putty.log
ASKER
I think I found where it is redirecting, the file is /etc/httpd/conf.d/elastix. conf
Thank you for your help mate.
Thank you for your help mate.
Great! Out of curiosity, what was the line doing it in elastix.conf?
ASKER
The file contains a snippet that causes the redirection, I think we would´ve found it from the very beginning if the grep syntax were more flexible:
User asterisk
Group asterisk
<Directory "/var/www/html">
# Redirect administration interface to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>
User asterisk
Group asterisk
<Directory "/var/www/html">
# Redirect administration interface to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>
> I gather it's probably in the actual site code if it's not in the server config or in the .htaccess files. Just for grins though, you might peek in /etc/httpd/conf.d and make sure Elastix doesn't put any of its own files to be included in there that might have RewriteRule directives in them.
I guess I could've told you to use grep -i, but I thought my capitalization above would demonstrate the case-sensitivity. Oh well, we ran in a few circles but ultimately got to the right place - glad it's all fixed for you.
I guess I could've told you to use grep -i, but I thought my capitalization above would demonstrate the case-sensitivity. Oh well, we ran in a few circles but ultimately got to the right place - glad it's all fixed for you.