Link to home
Create AccountLog in
Avatar of José Méndez
José Méndez

asked on

Apache - http requests redirected to https

Hello Experts.

I am trying to provision a Cisco Phone with an Apache server, which is an Elastix install (www.elastix.org, a FreePBX-Asterisk based CentOS distro). My problem is that I can´t seem to handle HTTP requests accordingly. Every time the phone requests a file, the server replies with a 302 and a Location line pointing to https.

I configured a virtual host according to Apache´s Documentation, and netstat -atnp shows port 6970 for my IP just fine.

How can I stop Apache from redirecting to secure http and serve the file instead? Also, how can I intensify debugging of these transactions?

Attaching the httpd.conf and a packet capture log of the transaction. 0.7 is the IP of the elastix box, 0.4 is the Cisco phone. Note that the request is embedded in the TCP segments, starting on Frame 5 of the packet capture.

Many thanks in advance. cipcreg-elastix     httpd.conf.txt
Avatar of xterm
xterm

Nothing in your httpd.conf is redirecting the clients - do you have a .htaccess file in //var/www/html/cisco (or /var/www/html) containing a RewriteRule?
Avatar of José Méndez

ASKER

I don´t see that file in the folders indicated, only this:

[root@elastix ~]# find / -iname "*.htaccess*"
/var/www/html/admin/modules/framework/htdocs/admin/modules/.htaccess
/var/www/html/admin/modules/.htaccess
/var/www/html/mail/logs/.htaccess
/var/www/html/mail/temp/.htaccess
/var/www/html/mail/config/.htaccess
/var/www/html/a2billing/api/.htaccess
/var/www/html/a2billing/lib/.htaccess
/var/www/html/a2customer/lib/.htaccess

[root@elastix ~]# find / -iname "*.htaccess*" | xargs grep -i rewrite

Was grepping for the word rewrite a good choice, or should I look for a different string?

Thanks for the help
No, that find/grep is perfect, and would've exposed it if it existed.  That is really strange, I practically would've bet money on it being a htaccess redirector.

Alright, please grep for "header" in any html/php files in the web root - specifically something like header("Location: https://xxxx"); where the xxxx part would be something like $_SERVER["HTTP_HOST"]/$_SERVER["$REQUEST_URI"]
grepping.....

meanwhile, do you know if it is possible/helpful to intensify the debugging to understand how this is happening?
I don't know of any way for Apache to get more granular in the logs than just reporting that the redirect occurred.

I gather it's probably in the actual site code if it's not in the server config or in the .htaccess files.  Just for grins though, you might peek in /etc/httpd/conf.d and make sure Elastix doesn't put any of its own files to be included in there that might have RewriteRule directives in them.
These are the files I can see in that directory:
[root@elastix conf.d]# ls
elastix.conf  php.conf        README    welcome.conf
mailman.conf  proxy_ajp.conf  ssl.conf
[root@elastix conf.d]#

None contains rewrite directives.... Any ideas ?  =(

You mentioned the code of the site, you mean like the PHP code?
Yes, the php code.  Did you find any header() directives when grepping?
No header() directives anywhere unfortunately.

I got this reply on another forum, I am barely digesting the indications though:

i never spoken about provisioning but just a Cisco phone wanting to connect to an URL for any thing.
For example, when a Cisco 7960 want to download a logo from an Elastix server, this function is impossible because apache switch to https.
So, in this case, you must enable the http or only on some folders to be connected on http and the others on https.

That turn around this into httpd.conf:
Order allow,deny
Allow from all
RewriteEngine off or on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !(/xmlservices/*)
RewriteCond %{REQUEST_URI} !(/images/bmp/*)
RewriteRule (.*) %{HTTP_HOST}%{REQUEST_URI}

Don't forget to restart httpd.

# service httpd restart
I'm trying to understand it too.  The rule says to take non-SSL requests for anything except /xmlservices/ and /images/bmp/ and then just take them to their original destination.  That doesn't make sense to me, since I'm looking for where it takes all non-SSL requests to the SSL site so that it can be disabled.  Having warring rulesets doesn't sounds like my idea of a good time :)
I was trying to follow the instructions above, got some interesting results. Instead of a 302 redirecting to HTTPS, I get a 500 internal server error whit the following snippet right below the line "Order allow,deny" in httpd.conf:

        RewriteEngine on  --> I assume it must be turned on
        RewriteCond %{HTTP_USER_AGENT}  ^CIPC  --> this is the User-Agent value that appears in the captures
       RewriteRule (.*) %{HTTP_HOST}%{REQUEST_URI} --> this is what the other guy suggested

I am not to sure if the RewriteRule is correct, but for sure, is the snippet the one causing the 500 error, if I remove it then the 302 comes back.

Now, if I set up an Alias just like the one setup for the icons folder in httpd.conf, pointing to my cisco folder, then I can pull any file inside without being redirected. Not sure how that helps though...

xterm, do you know why if I only use the first two lines of the snippet in the general context the file is then served as I want to, and even looked up in the document root for the virtual host I configured instead of the DocumentRoot? As follows:

        RewriteEngine on  
        RewriteCond %{HTTP_USER_AGENT}  ^CIPC
ASKER CERTIFIED SOLUTION
Avatar of xterm
xterm

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks a lot, I will answer your questions as soon as possible during work, or ultimately when I come back to my home lab, really appreciate the help.
When putting the RewriteRule, I am getting 13 of these lines in the dummy-host.example.com-error_log

[Wed Nov 09 23:05:36 2011] [client 192.168.0.4] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

Setting the LogLevel to debug catches this line several times:

[Wed Nov 09 23:08:20 2011] [debug] core.c(3059): [client 192.168.0.4] redirected from r->uri = /var/www/html/192.168.0.7:6970/var/www/html/192.168.0.7:6970/var/www/html/192.168.0.7:6970/var/www/html/192.168.0.7:6970/var/www/html/192.168.0.7:6970/var/www/html/192.168.0.7:6970/var/www/html/192.168.0.7:6970/var/www/html/192.168.0.7:6970/var/www/html/192.168.0.7:6970/SK72f64050-7ad5-4b47-9bfa-5e9ad9cd4aa9.xmll

The /dummy-host.example.com-access_log show this with the RewriteRule in the config file:

192.168.0.4 - - [09/Nov/2011:23:08:19 -0600] "GET /ip-com1.cnf.xml HTTP/1.1" 500 628
192.168.0.4 - - [09/Nov/2011:23:08:20 -0600] "GET /CTLSEPip-com1.tlv HTTP/1.1" 500 628
192.168.0.4 - - [09/Nov/2011:23:08:20 -0600] "GET /SK72f64050-7ad5-4b47-9bfa-5e9ad9cd4aa9.xml HTTP/1.1" 500 628

And something like this without the RewriteRule:

192.168.0.4 - - [09/Nov/2011:23:15:54 -0600] "GET /CTLSEPip-com1.tlv HTTP/1.1" 404 293
192.168.0.4 - - [09/Nov/2011:23:15:54 -0600] "GET /ip-com1.cnf.xml HTTP/1.1" 200 9964
192.168.0.4 - - [09/Nov/2011:23:15:55 -0600] "GET /English_United_States/CIPC_Locale.loads HTTP/1.1" 404 315
192.168.0.4 - - [09/Nov/2011:23:16:00 -0600] "GET /CTLSEPip-com1.tlv HTTP/1.1" 404 293

The files with error 404 are really not there, so its expected.

The code is not Cisco, only the HTTP client.

Grepping for https under /var returns lots of lines, some of which look suspicious of redirecting my traffic! Could you please tell me how a meta-refresh tag looks like? The output is attached, I can provide more details about any suspicious file elastix-putty.log
I think I found where it is redirecting, the file is /etc/httpd/conf.d/elastix.conf

Thank you for your help mate.
Great!  Out of curiosity, what was the line doing it in elastix.conf?
The file contains a snippet that causes  the redirection, I think we would´ve found it from the very beginning if the grep syntax were more flexible:

User asterisk
Group asterisk

<Directory "/var/www/html">
    # Redirect administration interface to https
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>
> I gather it's probably in the actual site code if it's not in the server config or in the .htaccess files.  Just for grins though, you might peek in /etc/httpd/conf.d and make sure Elastix doesn't put any of its own files to be included in there that might have RewriteRule directives in them.

I guess I could've told you to use grep -i, but I thought my capitalization above would demonstrate the case-sensitivity.  Oh well, we ran in a few circles but ultimately got to the right place - glad it's all fixed for you.