[rt-users] Getting Request Tracker to stick to HTTPS
Steve Anderson
steve.anderson at bipsolutions.com
Wed May 16 13:10:20 EDT 2012
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Might be of interest, if your regular users use firefox, Chrome or Opera.
The other option:
Set up another virtual host on the apache box that only serves a redirect to the https side.
On the proxy, direct port 80 to that one, and leave 443 pointing at the RT instance.
If the proxy supports such, at least.
Steve Anderson
-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Giles Coochey
Sent: 16 May 2012 18:05
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Getting Request Tracker to stick to HTTPS
On 16/05/2012 17:27, Darin Perusich wrote:
> On 05/16/2012 11:20 AM, Giles Coochey wrote:
>> How can I force RT to HTTPS?
>>
> Have you tried use mod_rewrite to rewrite the all traffic for that
> virtual host to https?
>
> Stubs of the config's for your RT virtual host. They http vhost only
> needs to have the basic's defined, the rewrite rules will push
> everything to https.
>
> <VirtualHost x.x.x.x:80>
> ...
> ...
> RewriteEngine On
> RewriteCond %{SERVER_PORT} !^443$
> RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=301]
> </VirtualHost>
>
> <VirtualHost x.x.x.x:443>
> ...
> ...
> <Location />
> Order allow,deny
> Allow from all
> SetHandler modperl
> PerlResponseHandler Plack::Handler::Apache2
> PerlSetVar psgi_app /usr/sbin/rt-server
> </Location>
>
> <Perl>
> use Plack::Handler::Apache2;
> Plack::Handler::Apache2->preload("/usr/sbin/rt-server");
> </Perl>
> ...
> ...
> </VirtualHost>
>
I can't do that, the actual RT Apache Server runs on port 80, so the
rewrite condition is always false.
The Reverse Proxy Director runs on port 8080
The Squid SSL-offload caching proxy runs on 443 & 80
So RT needed to act as if it was running on 443, but it didn't do any
SSL itself.
The problem seemed to be this setting, as mentioned by Paul.
Set($CanonicalizeRedirectURLs, 1);
Now it appears to work. If I wanted to do what you suggested I'd need to do the equivalent in Squid config, I think.
Also, I don't mind it being available on HTTP, I just don't want it bouncing back to HTTP if I log in with HTTPS.
______________________________________________
This email has been scanned by Westcoastcloud.
http://www.westcoastcloud.co.uk/
BiP Solutions Limited is a company registered in Scotland with Company
Number SC086146 and VAT number 383030966 and having its registered
office at Medius, 60 Pacific Quay, Glasgow, G51 1DZ.
In order to improve the quality of the service we offer, calls may be recorded
for quality management and training purposes.
****************************************************************************
This e-mail (and any attachment) is intended only for the attention of
the addressee(s). Its unauthorised use, disclosure, storage or copying
is not permitted. If you are not the intended recipient, please destroy
all copies and inform the sender by return e-mail.
This e-mail (whether you are the sender or the recipient) may be
monitored, recorded and retained by BiP Solutions Ltd.
E-mail monitoring/ blocking software may be used, and e-mail content may
be read at any time.You have a responsibility to ensure laws are not
broken when composing or forwarding e-mails and their contents.
****************************************************************************
More information about the rt-users
mailing list