Encryption required does not redirect correctly [#2117875]

When I set Encryption to Required, attempting to go to http://site:5080 should result in a redirect to https://site:5443

Instead it sends you to https://site:5080 which fails with error "SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)"

Directly going to https://site:5443 works just fine. I can't figure out why the redirect is not including the ssl port. Maybe because of the non-standard ports?

Comments

Comment #1

joshrabinowitz commented 2 December 2013 at 18:28

Any update on this issue?

Comment #2

anarcat commented 31 December 2013 at 17:01

How on earth is Aegir supposed to figure out how to translate from one non-standard port to another non-standard port?

Comment #3

ergonlogic

he/him

English

Montréal, Québec 🇨🇦

commented 7 January 2014 at 14:13

In Provision_Service_http_public::config_data(), we have:

  // DO not create it with the port here. Protocol only is enough.
  $data['redirect_url'] = "http://{$this->context->uri}";

And in Provision_Service_http_ssl::config_data(), we have:

  function config_data($config = NULL, $class = NULL) {
    $data = parent::config_data($config, $class);
    $data['http_ssl_port'] = $this->server->http_ssl_port;

    if ($config == 'site' && $this->context->ssl_enabled) {
      if ($this->context->ssl_enabled == 2) {
        $data['ssl_redirection'] = TRUE;
        $data['redirect_url'] = "https://{$this->context->uri}";
      }

Should we perhaps be adding the port to the $data['redirect_url'] in the latter case?

Or perhaps this should be handled a little differently in the vhost templates. In http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php, we specify the SSL port:

  <VirtualHost <?php print "{$ip_address}:{$http_ssl_port}";

>
?>

But we don't handle redirects there. That's done in http/Provision/Config/Apache/vhost.tpl.php, which is included at the bottom of the ssl vhost template:

if ($this->redirection || $ssl_redirection) {

  if ($ssl_redirection && !$this->redirection) {
    // redirect aliases in non-ssl to the same alias on ssl.
    print " RewriteRule ^/*(.*)$ https://%{HTTP_HOST}/$1 [NE,L,R=301]\n";
  }
  elseif ($ssl_redirection && $this->redirection) {
    // redirect all aliases + main uri to the main https uri.
    print " RewriteRule ^/*(.*)$ https://{$this->uri}/$1 [NE,L,R=301]\n";
  }
  elseif (!$ssl_redirection && $this->redirection) {
    // Redirect all aliases to the main http url.
    print " RewriteCond %{HTTP_HOST} !^{$this->uri}$ [NC]\n";
    print " RewriteRule ^/*(.*)$ http://{$this->uri}/$1 [NE,L,R=301]\n";
  }
}

Presumably we should be adding the https port here somewhere?

Comment #4

ergonlogic

he/him

English

Montréal, Québec 🇨🇦

commented 7 January 2014 at 14:14

Issue summary:	View changes
Status:	Active	» Needs review

No patch yet, but a proposed solution. So I'm setting to 'needs review'.

Comment #5

anarcat commented 7 January 2014 at 19:18

Status:

Needs review

» Closed (won't fix)

I think the redirect works fine if you use standard ports. If you use non-standard ports, there's no way to guess which ports to use for SSL, unless the original post meant we should just add 363 (443-80) to the existing non-standard port, which seems a bit silly to me....

Use standard ports, it's good for you.

Comment #6

ergonlogic

he/him

English

Montréal, Québec 🇨🇦

commented 7 January 2014 at 19:24

Status:

Closed (won't fix)

» Active

We save both the public and ssl ports in the server though. So, if those are configured to use non-standard ports, we should be able to retrieve it from there.