[Strykar's lair logo]
Contents
Home
Strykar
Audio formats
Sendmail
Annoying spammers
Serial console
Apache mod_rewrite
Traceroute
DirectX 8
SMS web services
nVidia Geforce3
Slackware props
[Tor - Anonymity Network]
[Slackware Linux]
[OpenBSD journal]
[OpenBSD]

Search
Search hackerzlair.org

Supported Projects
Hungryhacker
Graz Univ. SHA-1
Tor
Slackware
Slackware wiki
OpenBSD
OpenBSD Journal
Chai Shop
Erowid
Strykar's lore
(last updated 22-09-2007)

 

  
SSL/TLS - Free, secure and friendly, or is it?

  Ever wanted to force SSL for a particular directory like webmail or your PHP/Java
  based IRC chat applet?

  Have no fear young Jedi, Strykar will show you how to do this in under a minute.

  
***Applause fades slowly***


  I'm assuming you're running UNIX and Apache with some form of OpenSSL.

  We will use Apache 1.3.37's mod_rewrite (URL Rewriting) engine, or as lowly Postfix users
  like to call it, voodoo.
  If you're running Apache 2, look at the SSLrequireSSL directive instead.

You're thinking .htaccess?
  Yeah, well since this is voodoo, and we're not Haitian by birth, .htaccess doesn't always
  do the job, so we will edit httpd.conf and tell Apache what and where to rewrite/redirect.

  We assume the directory you're protecting or preventing the DEA from sniffing your http
  transaction is called meth_deals and is located in /var/www/htdocs/meth_deals where
  /var/www/htdocs is your DocumentRoot

  Do a locate httpd.conf or find / -name httpd.conf to find your Apache configuration.
  Add this to the end:
  #Force https for the meth_deals directory
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/meth_deals(.*) https://%{SERVER_NAME}/meth_deals$1 [R,L]


Insist on using .htaccess for reasons I don't want to hear about?
  Don't know your DocumentRoot?
  Look in httpd.conf or do:
  find / -name httpd.conf -print | xargs grep 'DocumentRoot "' | awk -F'"' '{print $2}'

  (Thanks to fwaggle for improving the find regexp above.)


Ensure .htaccess is enabled in your Apache configuration.

  Go to your DocumentRoot directory and create a file called .htaccess and add:
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^meth_deals(.*) https://%{SERVER_NAME}/meth_deals$1 [R,L]


Notice the lack of a leading slash? No?

  A common mistake is to have a leading slash which is meant when this info is put
  in Apache's configuration file and not .htaccess
  RewriteRule ^/meth_deals(.*) https://%{SERVER_NAME}/meth_deals$1 [R,L]

  Test the url by going to http://yourservername.com/meth_deals

  You should be redirected to https://yourservername.com/meth_deals

  If not, check /var/log/apache/error_log or where ever your Apache error logs are located.
Last updated on Fri Dec 20 16:10:00 2007.
Send comments to webmaster at this domain

 [Blue Ribbon Campaign] [powered by Slackware linux] [made in Textpad] [valid HTML 4.01]