Cerbot's Apache mod_rewrite for HTTP traffic to HTTPS


#1

When I run sudo certbot --apache -d www.domainname.com, certbot helpfully asks me if I want to redirect all HTTP traffic to HTTPS, and if I say yes, it writes this into the port 80 Apache config:

RewriteCond %{SERVER_NAME} =www.domainname.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

I’m not an expert on mod_rewrite, but wouldn’t it be better to have a wildcard redirect for simply anything at all that isn’t on port 443, regardless of the server name, like this?

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [END,NE,NC,R=permanent]

OT possibly: Apache context for redirect/rewrite
#2

Hi @gilgongo,

Many servers host a range of different sites, and it’s possible that HTTPS has only been set up for some of them, not others. In that case the administrator may strongly prefer that the redirection only applies to a specific site so that other sites continue to work via HTTP.


#3

Out of curiosity: is there a difference between the Apache general redirect, and the nginx general redirect which was disabled because of the incident mentioned here? Security issue with redirects added by Certbot's Nginx plugin


#4

Well yes, but certbot puts the rule inside the VirtualHost stanza (that is, per host name), so I’m not sure how your observation is relevant here.


#5

Interesting - the nginx redirect appears to be a wildcard, although the host header security issue is one I didn’t know about. Again, I’m no expert but I think the answer to your question is “no” here.


#6

That’s a good point, and I’ll ask my colleagues if anyone remembers why it was done this way.


#7

It seems like the answer is that you could have a virtualhost that applies to many different domain names, and you could use Certbot with -d options to request a certificate for only a portion of them. In that case, if the redirect applied to the entire virtualhost, some of those domain names would be broken.

I would agree that this scenario is rare, but it’s theoretically possible.


#8

Thanks @schoen ,

I agree that’s a scenario, but as you say it’s rare (and I find it hard to understand why you’d want to set up a VirtualHost in that way in practice). So I’m not sure it should be the default when the more common case is, when having two or more Apache server aliases, you want to serve them all with HTTPS. So I think a wildcard rewrite rule would be better suited to the majority of LE users.

Also, I think I’m right in saying that that default rule that cerbot gives for nginx is in fact a wildcard in any case. So certbot is also being inconsistent on this point.


#9

Well, this is also a consequence of design decisions that were made in Certbot more than three years ago (as @joohoi pointed out to me, the internal “security enhancement” API in Certbot, which is used to perform this kind of configuration change, is currently structured per-domain rather than per-virtualhost). So it’s not necessarily the most general or optimal choice for every use case today.


#10

Yes. As it is right now, if I have a VirtualHost configured with two or more host names, and I create or modify an LE certificate that includes all those names, I need to modify the rewrite rule so that it explicitly names each of them in the rule so the redirect will work properly.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.