Too Many Redirects / Enforcing HTTPS / ReadyNAS OS6


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gjschaller.homeftp.net

I ran this command: certbot-auto

It produced this output:

My web server is (include version): Apache2 (included on ReadyNAS OS 6.9.4)

The operating system my web server runs on is (include version): Debian Linus (ReadyNAS OS 6)

My hosting provider, if applicable, is: (N/A)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No, cannot reach

+++

I am running a ReadyNAS at home, which runs ReadyNAS OS 6.9.4 - basically, Debian with some modifications for the ReadyNAS hardware. A while back, I installed Let’s Encrypt without issue - at the time, I did not choose to enforce HTTPS using the Apache config.

A firmware update came out for the ReadyNAS, and I updated. This overwrote the changes, and the certificate was no longer being used. I re-ran certbot-auto, it found the old cert, and re-enabled it. So far, so good.

This time, I chose to enable the enforcement of HTTPS at the final step. When I did this, the Admin site (control panel web UI) for the ReadyNAS device broke - it’s now giving a “Too Many Redirects” error. Other sites on the device (sub-sites, such as Nextcloud) are fine, so it’s only this one site.

In theory, if I can undo the change that LE made to enforce HTTPS, the issue would be corrected, but I can’t find where this change is made. I’ve been all over my various .conf files for the sites, but no luck so far. Can someone advise where this change is made, and how best to comment it out or disable it?

Thank you!


#2

Hi @GJSchaller

there are three redirects:

D:\temp>download http://gjschaller.homeftp.net/ -h
Access-Control-Allow-Headers: csrfpId
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 20 Sep 2018 15:20:02 GMT
Location: http://gjschaller.homeftp.net/admin
Server: Apache/2.2.34 (Debian)

Status: 302 Redirect

369,32 milliseconds
0,37 seconds

D:\temp>download http://gjschaller.homeftp.net/admin -h
Access-Control-Allow-Headers: csrfpId
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 308
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 20 Sep 2018 15:20:25 GMT
Location: https://gjschaller.homeftp.net/admin
Server: Apache/2.2.34 (Debian)

Status: 302 Redirect

318,19 milliseconds
0,32 seconds

D:\temp>download https://gjschaller.homeftp.net/admin -h
SSL-Zertifikat is valide
Access-Control-Allow-Headers: csrfpId
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 309
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 20 Sep 2018 15:20:32 GMT
Location: https://gjschaller.homeftp.net/admin
Server: Apache/2.2.34 (Debian)

Status: 302 Redirect

650,00 milliseconds
0,65 seconds

First http://gjschaller.homeftp.net/ -> http://gjschaller.homeftp.net/admin
Second http://gjschaller.homeftp.net/admin -> https://gjschaller.homeftp.net/admin
Third (and wrong) https://gjschaller.homeftp.net/admin -> https://gjschaller.homeftp.net/admin

Has this ReadyNAS it’s own .htaccess or can you share your Apache configuration?


#3

Included below is the apache2.conf file. I suspect the issue is in an included file, the trick is finding which one…

    # This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives and /usr/share/doc/apache2-common/README.Debian.gz about
# Debian specific hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.

# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
#	/etc/apache2/
#	|-- apache2.conf
#	|	`--  ports.conf
#	|-- mods-enabled
#	|	|-- *.load
#	|	`-- *.conf
#	|-- conf.d
#	|	`-- *
# 	`-- sites-enabled
#	 	`-- *
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
#   together by including all remaining configuration files when starting up the
#   web server.
#
#   In order to avoid conflicts with backup files, the Include directive is
#   adapted to ignore files that:
#   - do not begin with a letter or number
#   - contain a character that is neither letter nor number nor _-:.
#   - contain .dpkg
#
#   Yet we strongly suggest that all configuration files either end with a
#   .conf or .load suffix in the file name. The next Debian release will
#   ignore files not ending with .conf (or .load for mods-enabled).
#
# * ports.conf is always included from the main configuration file. It is
#   supposed to determine listening ports for incoming connections, and which
#   of these ports are used for name based virtual hosts.
#
# * Configuration files in the mods-enabled/ and sites-enabled/ directories
#   contain particular configuration snippets which manage modules or virtual
#   host configurations, respectively.
#
#   They are activated by symlinking available configuration files from their
#   respective *-available/ counterparts. These should be managed by using our
#   helpers a2enmod/a2dismod, a2ensite/a2dissite. See
#   their respective man pages for detailed information.
#
# * Configuration files in the conf.d directory are either provided by other
#   packages or may be added by the local administrator. Local additions
#   should start with local- or end with .local.conf to avoid name clashes. All
#   files in conf.d are considered (excluding the exceptions noted above) by
#   the Apache 2 web server.
#
# * The binary is called apache2. Due to the use of environment variables, in
#   the default configuration, apache2 needs to be started/stopped with
#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
#   work with the default configuration.


# Global configuration
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
LockFile ${APACHE_LOCK_DIR}/accept.lock

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5

##
## Server-Pool Size Regulation (MPM specific)
## 

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
#              graceful restart. ThreadLimit can only be changed by stopping
#              and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75 
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

# event MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_event_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75 
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
# It is also possible to omit any default MIME type and let the
# client's browser guess an appropriate action instead. Typically the
# browser will decide based on the file's extension then. In cases
# where no good assumption can be made, letting the default MIME type
# unset is suggested  instead of forcing the browser to accept
# incorrect  metadata.
#
DefaultType None


#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf

# Include list of ports to listen on and which to use for name based vhosts
Include ports.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see the comments above for details.

# Include generic snippets of statements
Include conf.d/

# Include the virtual host configurations:
Include sites-enabled/

#4

Only one site has the problem, so I would start there - and the .htaccess of the root and /admin/.htaccess, if exists.


#5

I can’t find an .htaccess file in the root, or in the dir for the Admin page, so that’s a thing.

I’ve attached two additional Config files, hopefully one of them will be a clue as to where to look next.

<IfModule mod_ssl.c>
<VirtualHost *:443>
Include "/etc/frontview/apache/defaults.conf"
Include "/etc/frontview/apache/http-share-redirect.conf"
Include "/etc/frontview/apache/http-redirect.conf"
Include "/etc/frontview/apache/Shares.conf"
Include "/etc/frontview/apache/apps-https.conf"
Include "/etc/frontview/apache/READYDROP.conf"
Include "/etc/frontview/apache/lan-try.conf"
ServerName gjschaller.homeftp.net
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/gjschaller.homeftp.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gjschaller.homeftp.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/gjschaller.homeftp.net/chain.pem
</VirtualHost>
</IfModule>

Next file:

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          (Redacted)
SSLHonorCipherOrder     on
SSLCompression          off

# SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
# Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

#6

Some additional information:

This is only happening for the URL https://gjschaller.homeftp.net/admin/
(The same url without Admin redirects to Admin, and then fails after the redirect)
I never get prompted to log in / authenticate, which may be a clue.

There is no .htaccess in /frontview/dashboard/ or in /var/www

Three additional files:

File: fv-admin.conf

ServerAdmin admin@localhost

DocumentRoot /frontview/dashboard
<Directory />
Options FollowSymLinks -MultiViews
AllowOverride None
</Directory>
Alias		/admin			/frontview/dashboard/
<Location /admin>
Options Indexes FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
Include "/etc/frontview/apache/Admin_Auth.conf"
</Location>

(Middle aliases cut)

# deflate -- add DEFLATE filter to response MIME type as below
AddOutputFilterByType DEFLATE text/plain text/css text/javascript text/xml text/cache-manifest application/javascript application/json
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|mp3|m4a|m4v|mp4|zip|t?gz)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css A86400
ExpiresByType text/javascript A86400
ExpiresByType application/javascript A86400
</IfModule>

File: Admin_Auth.conf

Include /etc/frontview/apache/Auth.conf
AuthName "ReadyNAS Admin"
require group admin

File: Auth.conf

<IfModule !mod_authn_privsep.c>
LoadModule privsep_module /usr/lib/apache2/modules/mod_privsep.so
LoadModule authn_privsep_module /usr/lib/apache2/modules/mod_authn_privsep.so
</IfModule>

AuthType Basic
AuthBasicProvider privsep
PrivilegeSeparation On
AuthzUnixgroup on
AuthzUnixgroupAuthoritative off

#7

There are no redirect / rewrite rules.

Perhaps one of these files

has these rules. Search, if you can find

rewrite RewriteCond RewriteRule

in one of these files.


#8

File: http-redirect.conf

RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]
RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
RewriteRule ^(cgi-bin) - [L]

File: http-share-redirect.conf

RewriteEngine on
RewriteRule ^/$ /admin [R,L]

In the first file:
Commenting out the 1st line results in a 404.
Commenting out the 2nd or 3rd line results in no change (still too many redirects)

In the second file:
Commenting out the 1st line results in a 404.
Commenting out the 2nd line results in no change (still too many redirects)

Thank you for your help so far! This appears to be a real humdinger…


#9

Checked again, there are three loop redirects:

https://gjschaller.homeftp.net/admin -> https://gjschaller.homeftp.net/admin

https://gjschaller.homeftp.net/admin/ -> https://gjschaller.homeftp.net/admin/

https://gjschaller.homeftp.net/admin/123 -> https://gjschaller.homeftp.net/admin/123

The last is terrible, because I am shure there is no file 123 :wink:

Looks like this

is a http and a https - redirect. I would add

RewriteCond %{SERVER_PORT} 80

in your http-redirect.conf, so

RewriteCond %{SERVER_PORT} 80
RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R=301,L]
RewriteRule ^/admin$ https://%{SERVER_NAME}/admin [R=301,L]
RewriteRule ^(cgi-bin) - [L]

Add the 301-switch, so we can see, if this is the rule which is used.


#10

I made the changes, as noted.

https://gjschaller.homeftp.net/admin results in too many redirects

https://gjschaller.homeftp.net/admin/ results in a 404


#11

This 404

is irrelevant, because https://gjschaller.homeftp.net/ redirects to https://gjschaller.homeftp.net/admin

https://gjschaller.homeftp.net/admin sends now a 301 redirect, so this is the correct rule.

Use the ReWriteCond twice:

RewriteCond %{SERVER_PORT} 80
RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R=301,L]

RewriteCond %{SERVER_PORT} 80
RewriteRule ^/admin$ https://%{SERVER_NAME}/admin [R=301,L]
RewriteRule ^(cgi-bin) - [L]

#12

Getting closer…

Both give a 404 now.


#13

This is excellent - no redirect loop. So this problem is fixed.

But: I thought there is an admin panel / login or something else. Where is this login?


#14

That url should be https://gjschaller.homeftp.net/admin (or /admin/)

The other sites on the NAS are working (Nextcloud is one), so I know Apache overall is fine. At this point, it’s just a matter of getting the Admin panel up.

The local path to the control panel, on the NAS’ drive, is /frontview/dashboard/

I believe there is an include somewhere that should cover this, I’ll see if I can find it.


#15

File: fv-admin.conf

ServerAdmin admin@localhost

DocumentRoot /frontview/dashboard
<Directory />
Options FollowSymLinks -MultiViews
AllowOverride None
</Directory>
Alias		/admin			/frontview/dashboard/
<Location /admin>
Options Indexes FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
Include "/etc/frontview/apache/Admin_Auth.conf"
</Location>

#16

Calling your ip works:

https://73.112.89.197/admin

wants a login and has a self signed certificate.

So you have a standard vHost and your domain vHost - both with different DocumentRoot - values.

So change your DocumentRoot of your domain vHost.

DocumentRoot /frontview/dashboard


#17

There’s something here that’s confusing me, though… under /var/www there’s a simple index.html file:

<meta http-equiv="refresh" content="0; url=/admin/">

Both the IP and the gjschaller.homeftp.net URLs that end with a / and no admin properly forward me to the /admin url, so that seems to be correct.

I’ll dig a bit and see if I can find the vhosts, and correct the issue.


#18

This is not relevant. Because the Header redirect

download http://gjschaller.homeftp.net/ -h
Access-Control-Allow-Headers: csrfpId
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 24 Sep 2018 10:29:05 GMT
Location: http://gjschaller.homeftp.net/admin
Server: Apache/2.2.34 (Debian)

Status: 302 Redirect

comes first. Such a meta element is only used if the page is loaded complete. Then the http status is 200, not 302.

I’ve created a simple test page (it’s my own domain):

https://beispiel.server-daten.de/test.html

with the same element. Browser -> redirect to /, “download.exe” - http status 200.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.