Rewrite_rule 8080 to 443

Hello,
I have a problem, i would like to redirect plone 4.3.9 which run on 8080 to the https (443).

I installed a certificate with let's encrypt, when i go on the website, i have the default webpage of apache in HTTPS.
But, i can't go on plone on port 8080..

I read on the documentation that i need to modify the rewrite_rule but Nothing append..

    UseCanonicalName On
     
    NameVirtualHost *
    <VirtualHost *>
        ServerAlias yoursite.com
        ServerSignature On
     
        Header set X-Frame-Options "SAMEORIGIN"
        Header set Strict-Transport-Security "max-age=15768000; includeSubDomains"
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Content-Type-Options "nosniff"
        Header set Content-Security-Policy-Report-Only "default-src 'self'; img-src *; style-src 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval'"
     
        ProxyVia On
     
        # prevent your web server from being used as global HTTP proxy
        <LocationMatch "^[^/]">
          Deny from all
        </LocationMatch>
     
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>
     
        RewriteEngine on
        RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/%{HTTP_HOST}:443/Plone/VirtualHostRoot/$1 [P,L]

    </VirtualHost>
     
    <VirtualHost *>
        ServerAlias   *
        ServerRoot    /var/www
        ServerSignature On
    </VirtualHost>

Thank you for your answers.

Amically,
Florian

1 Like

On Nginx I use this rule (mind the extra $ in the ^/(.*)$ part !

rewrite ^/(.*)$ /VirtualHostBase/https/$http_host:443/Plone/VirtualHostRoot/$1 break;

So maybe you can try it with this rule:

rewrite ^/(.*)$ /VirtualHostBase/https/%{HTTP_HOST}:443/Plone/VirtualHostRoot/$1 [P,L]

Or try to replace http://localhost:8080 with this http://127.0.0.1:8080, sometimes the Windows or Linux hosts file is containing for localhost a dynamically assigned IP address like 192.168.1.2

Try to replace localhost in your rewrite rule with your local assigned IP address, but check if in zope.conf if the http-server is listening to your local ip address. See below the examples.

Run in windows CMD box: ipconfig to view your assigned IP address on the network card you are using. In Linux run ifconfig ( "mind the f!")

This Zope http server is listening to the local IP address 127.0.0.1 only on port 8080!
<http-server>
address 8080
</http-server>

This server is listening to ip address 192.168.1.2 on port 8080
<http-server>
address 192.168.1.2:8080
</http-server>

This server is listening to ALL assigned IP addresses on your network card in use on port 8080. (not recommended for security reasons, but sometimes needed to figure out if you can reach the Zope http server.
<http-server>
address 0.0.0.0:8080
</http-server>

Success

  • List item rewrite_rule ^/(.*)$ /VirtualHostBase/https/%{HTTP_HOST}:443/Plone/VirtualHostRoot/$1 [P,L]
    doesn't work.

  • List item replacing localhost by 127.0.0.1 doesn't work.

  • List item replacing by the "inet adr" in ifconfig doesn't work.

In zope. conf there is "address 8080".

I will try to explain more:
We can access to the plone with a domain name (intraxxx.vilxxxxxxxxx.fr).

When we go to http://domainName, we are redirect to https://domainName.

Plone is on http://domainName:8080/Plone439, but the redicrection doesn't work.

We can access to the plone from internet.

Thanks

here you can find a complete working example: https://github.com/plonegovbr/portal.buildout/blob/master/docs/nginx.rst#implementação-do-suporte-ssl

remember you need to create an SSL certificate if you don't have one already: https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04

Some (older?) versions of Ubuntu will only make you have one site with https, I think (not 100% sure)

Although for NGINX, maybe you find here the solution to configure your Apache website.
I use here nginx --> varnish --> haproxy --> Plone/Zope

The user is always forced to https when he enters http...

server {
    listen 80;
    server_name mydomain.com;
    # force the usage of HTTPS
    # rewrite        ^ https://$server_name$request_uri? permanent; 
    return 301 https://$server_name$request_uri;
    
   # following part allows normal http access to  Plone, but ONLY if you comment the line above starting with return 301 ...       
 
    location / {
        rewrite ^(.*)$ /VirtualHostBase/http/$http_host:80/VirtualHostRoot$1 break;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        HTTP_REFERER    $http_referer;
        proxy_set_header        X-Vhm-Host      http://$host;
        proxy_set_header        X-Vhm-Root      /Plone;
        #  Defines a timeout for establishing a connection with the proxied server.
        #  It should be noted that this timeout cannot usually exceed 75 seconds.
        proxy_connect_timeout   60s;
        proxy_read_timeout      8400;
        client_max_body_size    1048M;
        # Proxy everything to Varnish
        proxy_pass http://varnish;

        }
}

SSL SECURED VIA HTTPS

server {
    server_name mydomain.com;    
    listen 443; # Customise port when the standard 443 is taken by something else
    # SSL 
    ssl on;
    ssl_certificate /path/to/plone.cert;
    ssl_certificate_key /path/plone.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;
    
    ## uncomment these lines only when http access is allowed
    ## if ($http_cookie ~* "__ac=([^;]+)(?:;|$)" ) {
    ## # prevent infinite recursions between http and https
    ##   break; 
    ## }
    ## rewrite ^(.*)(/logged_out)(.*) http://$http_host$1$2$3 redirect;
    
    location / {

        # to allow access to Zope ZMI and Plone 
        rewrite ^/zmi/(.*)$ /VirtualHostBase/https/$http_host:443/VirtualHostRoot/_vh_zmi/$1 break;
        rewrite ^/(.*)$ /VirtualHostBase/https/$http_host:443/**Plone**/VirtualHostRoot/$1 break;
        proxy_read_timeout 1200;
        proxy_connect_timeout 1200;
        client_max_body_size 1048M;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        HTTP_REFERER    $http_referer;
        proxy_pass http://varnish;

    }
    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root /path/to/nginx/html;
    }

}

Have you found a solution to this problem?

This is working with proper setup. For a (basic) apache server and lets encrypt the config is pretty basic, something like:

 ServerName my.server.no
 RewriteEngine On
RewriteRule ^/(.*)$    
http://127.0.0.1:8080/VirtualHostBase/https/my.server.no:443/Plone/VirtualHostRoot/$1 [L,P]

SSLCertificateFile /etc/letsencrypt/live/my.server.no/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.server.no/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Cerbot actually fixes the rewrite rule for you if you set up http first.

When I set up cerbot, I think I used this link:

1 Like

It is quite strange, it is the configuration I have at the moment, Apache works correctly, loading the default page, but the redirection to Plone is not done.

Enter correctly to ApacheDefaultPage not to Plone -- https://docs.respect.com.co/

ERR_SSL_PROTOCOL_ERROR when I do this -- https://docs.respect.com.co:8080/

This is my .conf

            #DocumentRoot /var/www/html
            ServerSignature On
            AllowEncodedSlashes NoDecode

            Header set X-Frame-Options "SAMEORIGIN"
            Header set Strict-Transport-Security "max-age=15768000; includeSubDomains"
            Header set X-XSS-Protection "1; mode=block"
            Header set X-Content-Type-Options "nosniff"
            Header set Content-Security-Policy-Report-Only "default-src 'self'; img-src *; style-src 'unsafe-inline'; >

            ProxyVia On

            # prevent your web server from being used as global HTTP proxy
            <LocationMatch "^[^/]">
                    Deny from all
            </LocationMatch>

            <Proxy proxy:http://127.0.0.1:8080/>
                    Order deny,allow
                    Allow from localhost
            </Proxy>

            RewriteEngine on
            RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/docs.respect.com.co:443/Plone/VirtualHostRoot/$1 [L,P]
            
            SSLEngine on
            SSLCertificateFile      /home/ubuntu/certificados/cert.pem
            SSLCertificateKeyFile /home/ubuntu/certificados/cert.key

           <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                            SSLOptions +StdEnvVars
            </Directory>

Any ideas?

Someone else, that knows this better should answer.

One thing, though:
You should never access your site as https://docs.respect.com.co:8080/

It should be: https://docs.respect.com.co

Have you restarted apache after you made the changes ?

Plone Foundation Code of Conduct