Apache vhost config invalid when using redirect: proxy and to-https
short description
Using both Redirect Type: proxy and Rewrite HTTP to HTTPS with Apache results in invalid configuration - Apache returns status 500. Site is configured on server with Apache and SSL with Letsencrypt enabled.
correct behaviour
The request should be handled with a rewrite to HTTPS and then proxied.
# Generated (faulting) config snippet (Apache non-ssl part of the config):
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^/(.*)$ http://1.2.3.4/$1 [proxy]
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^/(.*)$ http://1.2.3.4/$1 [proxy]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
# Updated (working) config snippet (Apache non-ssl part of the config):
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^/(.*)$ http://1.2.3.4/$1 [proxy]
RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
RewriteRule ^/(.*)$ http://1.2.3.4/$1 [proxy]
environment
Server OS: debian Server OS version: buster ISPConfig version: 3.2.2/nightly
proposed fix
Move the HTTP-to-HTTPS rewrite up just after the acme challenge exemption:
Patch:
--- ispconfig/server/conf/vhost.conf.master 2021-03-04 01:17:38.371357346 +0000
+++ ispconfig/server/conf/vhost.conf.master.fix_tossl_and_proxy 2021-03-04 01:16:47.113325799 +0000
@@ -493,6 +493,15 @@
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
</tmpl_if>
+<tmpl_if name='ssl_enabled'>
+<tmpl_else>
+<tmpl_if name='rewrite_to_https' op='==' value='y'>
+ RewriteCond %{HTTPS} off
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
+</tmpl_if>
+ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
+</tmpl_if>
+</tmpl_if>
<tmpl_if name='seo_redirect_enabled'>
RewriteCond %{HTTP_HOST} <tmpl_var name='seo_redirect_operator'>^<tmpl_var name='seo_redirect_origin_domain'>$ [NC]
<tmpl_if name='apache_version' op='<' value='2.4' format='version'>
@@ -521,15 +530,6 @@
RewriteRule ^/(.*)$ <tmpl_var name='rewrite_target'><tmpl_if name="rewrite_add_path" op="==" value="y">$1</tmpl_if> <tmpl_var name='rewrite_type'>
</tmpl_loop>
-<tmpl_if name='ssl_enabled'>
-<tmpl_else>
-<tmpl_if name='rewrite_to_https' op='==' value='y'>
- RewriteCond %{HTTPS} off
- <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
-</tmpl_if>
- RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
-</tmpl_if>
-</tmpl_if>
</tmpl_if>
# add support for apache mpm_itk