Do not https_redirect 000-default vhost

debops / ansible-apache

Manage and configure the Apache HTTP Server

GNU General Public License v3.0

2 stars 6 forks source link

Do not https_redirect 000-default vhost #11

Closed muelli closed 7 years ago

muelli commented 7 years ago

The problem is that the currently generated default Redirect line takes the "name" as redirection target. The name, in this default case, is "000-default", so Apache would redirect to https://000-default/ which is nonsensical.

By setting redirect_to_https to False the redirection won't be established.

ypid commented 7 years ago

Thanks for the PR! #8 addresses this issue already by adding a apache__default_vhost_name. The times of no redirect to https or http as default are over :smile: Does this work for you?

muelli commented 7 years ago

True. The proposed changes in #8 make it indeed not redirect to "000-default". Feel free to close this issue. It may be more appropriate for the default host to redirect to the host the client requested, because obviously the request came for a host that Apache doesn't know about. In that case, the following group snippet works better, I think:

            # From http://serverfault.com/a/739128/193114
            <ifmodule mod_rewrite.c>
                RewriteEngine On
                RewriteOptions InheritDown
                RewriteCond %{HTTPS} off
                RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
                RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
            </ifmodule>

As an added bonus, if put in global scope rather than for the default vhost, this snippet also works for all vhosts and the vhosts can probably selectively disable it with RewriteOption IgnoreInherit.

ypid commented 7 years ago

I can see that there are use cases for the rewrite snippet you posted. My use case is a bit different:

apache__default_vhost:

  name: '{{ apache__default_vhost_name }}'
  filename: '000-default'
  redirect_http: 'https://main-service-running-on-server.example.org/'
  redirect_https: 'https://main-service-running-on-server.example.org/'
  redirect_http_code: '301'
  redirect_https_code: '301'
  hsts_enabled: False

But I am open for PRs which implement your snippet in vhost context as an option. ACME support ref: #1 Closing this issue as discussed.

muelli commented 7 years ago

I feel like your use case is a more narrow form of the general snippet I posted and is not inherently incompatible. Theoretically, it should be possible to check whether a vhost defined redirect_https and then use that value in a Rewrite clause. If no redirect_https is defined the globally configured Rewrite rule applies and the client gets a redirect.

The benefit would be that it's globally configured thus vhosts have to opt out. Also, it allows for easier integration with, say, the global ACME rule.