I am not sure if this question is under right category. Note to Admin(s): Please feel free to move this post to the right category if you must. Thanks.
Now on to my issue or problem.
Now that I got Let's Encrypt app installed and working, I need to be able to force or redirect from HTTP to HTTPS on our main domain name. For instance, if someone were to just type in clearos.com, I want them redirected to https://clearos.com. I have looked high and low all over the internet including on ClearOS form for a solution and I have yet to find one that works for me. I have also run up and down through webconfig for any options or selections that will enable me to do this, but still nothing.
First, I kept coming across codes like the one below and there seems to many variations of that on the Internet. Some people said simply drop the code in the htaccess file and it should work right away. But when I do that, my whole website just disappears and the browser says FORBIDDEN you have no permission to view. Then, I came across a posting (HTTPS redirect on ClearOS that instructed the reader to DROP the code shown below into /etc/httpd/conf.d/flex-80.conf. I did exactly that and it DIDN'T work. In fact, it did nothing even though my website did come up.
Someone said in another clearos posting that I should be able to set it up under firewall. Well, I tried to do that and it complained that there was already rule step for the HTTPS port 443.
I am confused.... What am I doing wrong and how can get this to work. Any help will be greatly appreciated. Thanks...
Now on to my issue or problem.
Now that I got Let's Encrypt app installed and working, I need to be able to force or redirect from HTTP to HTTPS on our main domain name. For instance, if someone were to just type in clearos.com, I want them redirected to https://clearos.com. I have looked high and low all over the internet including on ClearOS form for a solution and I have yet to find one that works for me. I have also run up and down through webconfig for any options or selections that will enable me to do this, but still nothing.
First, I kept coming across codes like the one below and there seems to many variations of that on the Internet. Some people said simply drop the code in the htaccess file and it should work right away. But when I do that, my whole website just disappears and the browser says FORBIDDEN you have no permission to view. Then, I came across a posting (HTTPS redirect on ClearOS that instructed the reader to DROP the code shown below into /etc/httpd/conf.d/flex-80.conf. I did exactly that and it DIDN'T work. In fact, it did nothing even though my website did come up.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Someone said in another clearos posting that I should be able to set it up under firewall. Well, I tried to do that and it complained that there was already rule step for the HTTPS port 443.
I am confused.... What am I doing wrong and how can get this to work. Any help will be greatly appreciated. Thanks...
Share this post:
Responses (13)
-
Accepted Answer
I use a slightly different form of the rule:
You can also use [R,L]. i had to do that because of problems with non-standard ports.RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R]
I don't know if file ownership matters but is should be apache:allusers, although I have one in a sub-folder which is root:allusers.
If you are testing externally, make sure you've remembered to open the firewall to https. -
Accepted Answer
Did you try clearing out your browser's cache and your website's cache as well, prior to giving it a whirl? Maybe even tried it from multiple devices? What Nick said makes sense. I'm in the practice of recursively giving ownership to apache:apache to my website and all its folders. More experienced web designers might say otherwise. I'm a tinkerer, not a guru.
Out of curiosity, what do your scripts look like for your website and your webroot in /etc/httpd/conf.d/flex-80.conf and flex-443? -
Accepted Answer
If I had to guess, your htaccess file permissions are set to 640. Try something like 644 or higher.
Chmod 644 /var/www/html/.htaccess
You should be able to use your original htaccess script too. -
Accepted Answer
-
Accepted Answer
Have you enabled "Allow [.htaccess] Override" in the Webserver config? I don't know if you need "Follow Symlinks / Allow Rewrite" as well (I have it). -
Accepted Answer
Some pages get deemed as unsafe if content is served from third party insecure servers, or if you have links or content hardcoded with http so you end up serving mixed content. -
Accepted Answer
Mod_rewrite in COS 7.5.0 should be enabled in Apache by default in /etc/httpd/conf.modules.d/00-base.conf, with a line that looks like
LoadModule rewrite_module modules/mod_rewrite.so
Then put a file in your webroot called .htaccess with only the code you wrote above.
Make sure the Let's Encrypt certificate is the digital certificate chosen in your Webconfig for your website. -
Accepted Answer
Hi Dirk Albring
I checked 000-base.conf for that line and sure enough it is there and enabled.
Then, I deleted everything in my .htaccess file and replace it with the code I have in my post.
Then, I checked my webconfig to make sure Let's Encrypt is selected and it is.
Then, just to be sure. I decided to completely shutdown the browser and start it back up again.
Then, I simply typed in my domain name and hit enter.
Unfortunately, my browser still says the same thing.
Forbidden. You don't have a permission to view. -
Accepted Answer
Hi Nick and Dirk,
Nick, I copied and pasted your .htaccess code as is. Then, try to open my website. It is still the same. It pops up with FORBIDDEN message.
I did check the firewall allowed incoming connections and I saw the following which is the ONLY set up I saw for HTTPS in the list of connections.
Dirk, My browser is set to clear cookies and cache every time I close or shutdown my browser (firefox). So, I did completely close my browser and tested it. It still displayed FORBIDDEN.
Here is what is in my /etc/httpd/conf.d/flex-80.conf and flex-443.
flex-80.conf
flex-443.conf
#----------------------------------------------------------------
# WARNING: This file is automatically created by webconfig.
#----------------------------------------------------------------
# Authentication mechanism
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup
# -----------------------------------------------#
# Web Site
# -----------------------------------------------#
<VirtualHost *:443>
ServerName rel-tek.com
ServerAlias reltek.com ftp.rel-tek.com mail.rel-tek.com
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.rel-tek.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.rel-tek.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.rel-tek.com/chain.pem
# No weak export crypto allowed
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!3DES:!aNULL:!MD5
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost> -
Accepted Answer
Hi,
I did change the read write execute permission on the .htaccess file after updating the file with Nick's code. Then, tried to access the website, it is still popping up with Forbidden.
Nick, HTTPS encryption part works. You can access our website both ways... However, I want to force HTTPS when a visitor tries to enter the website by either https or http to HTTPS ONLY. The .htaccess code for some reason won't work and I have tried different variation of that code with the same result. Right now, I got nothing in my .htaccess file that's why you are able to access the website. -
Accepted Answer
Nick! Yes, that was it.... The only thing that was not enabled was "Follow Symlinks / Allow Rewrite." Once I enabled, it works with your .htaccess code. AWESOME!!! Now, I need to find out why some of my pages are deemed to be unsafe and fix them...
Thank you so much for all the help, Nick and Dirk. -
Accepted Answer
Good catch Nick. I have both parameters enabled for my site and https is forced no matter the page. -
Accepted Answer
Hi Ben,
Yes, you are right, but if you have certain items on your webpage like say JAVASCRIPT and it can't block them browser will flag that web page as unsafe. For instance, on some of my web pages I had JavaScript for slideshows and direct links to images and other webpages using HTTP. Those webpages were flagged as unsafe and the browser said "Unsecure Connection." Once I painstakingly went through page by page and removed or fixed all those offending items, browser reported secure connection. So, even though I had HTTPS working with Dirk and Nick's helps, I still needed to cleanup my webpages for HTTPS to work on our website.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »