Forums

Resolved
0 votes
I am not sure if this question is under right category. Note to Admin(s): Please feel free to move this post to the right category if you must. Thanks.

Now on to my issue or problem. :)

Now that I got Let's Encrypt app installed and working, I need to be able to force or redirect from HTTP to HTTPS on our main domain name. For instance, if someone were to just type in clearos.com, I want them redirected to https://clearos.com. I have looked high and low all over the internet including on ClearOS form for a solution and I have yet to find one that works for me. I have also run up and down through webconfig for any options or selections that will enable me to do this, but still nothing.

First, I kept coming across codes like the one below and there seems to many variations of that on the Internet. Some people said simply drop the code in the htaccess file and it should work right away. But when I do that, my whole website just disappears and the browser says FORBIDDEN you have no permission to view. Then, I came across a posting (HTTPS redirect on ClearOS that instructed the reader to DROP the code shown below into /etc/httpd/conf.d/flex-80.conf. I did exactly that and it DIDN'T work. In fact, it did nothing even though my website did come up.
RewriteEngine On 
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Someone said in another clearos posting that I should be able to set it up under firewall. Well, I tried to do that and it complained that there was already rule step for the HTTPS port 443.

I am confused.... What am I doing wrong and how can get this to work. Any help will be greatly appreciated. Thanks...
Friday, December 14 2018, 02:58 PM
Share this post:
Responses (13)
  • Accepted Answer

    Friday, December 14 2018, 10:22 PM - #Permalink
    Resolved
    1 votes
    I use a slightly different form of the rule:
    RewriteEngine on
    RewriteCond %{SERVER_PORT} 80
    RewriteRule (.*) https://%{SERVER_NAME}/$1 [R]
    You can also use [R,L]. i had to do that because of problems with non-standard ports.

    I don't know if file ownership matters but is should be apache:allusers, although I have one in a sub-folder which is root:allusers.

    If you are testing externally, make sure you've remembered to open the firewall to https.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, December 15 2018, 04:39 AM - #Permalink
    Resolved
    1 votes
    Did you try clearing out your browser's cache and your website's cache as well, prior to giving it a whirl? Maybe even tried it from multiple devices? What Nick said makes sense. I'm in the practice of recursively giving ownership to apache:apache to my website and all its folders. More experienced web designers might say otherwise. I'm a tinkerer, not a guru.

    Out of curiosity, what do your scripts look like for your website and your webroot in /etc/httpd/conf.d/flex-80.conf and flex-443?
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 05:04 PM - #Permalink
    Resolved
    1 votes
    If I had to guess, your htaccess file permissions are set to 640. Try something like 644 or higher.

    Chmod 644 /var/www/html/.htaccess


    You should be able to use your original htaccess script too.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 05:16 PM - #Permalink
    Resolved
    1 votes
    That is odd. I can access you web site on both http and https.

    My .htaccess permissions are 644

    Clearing cookies may not help to forget the site. In Firefox, to undo a permanent redirect, I have to go into History > Show All History, right-click then Forget About This Site.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 06:26 PM - #Permalink
    Resolved
    1 votes
    Have you enabled "Allow [.htaccess] Override" in the Webserver config? I don't know if you need "Follow Symlinks / Allow Rewrite" as well (I have it).
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 07:40 PM - #Permalink
    Resolved
    1 votes
    Some pages get deemed as unsafe if content is served from third party insecure servers, or if you have links or content hardcoded with http so you end up serving mixed content.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, December 14 2018, 08:43 PM - #Permalink
    Resolved
    0 votes
    Mod_rewrite in COS 7.5.0 should be enabled in Apache by default in /etc/httpd/conf.modules.d/00-base.conf, with a line that looks like

    LoadModule rewrite_module modules/mod_rewrite.so


    Then put a file in your webroot called .htaccess with only the code you wrote above.

    Make sure the Let's Encrypt certificate is the digital certificate chosen in your Webconfig for your website.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, December 14 2018, 09:37 PM - #Permalink
    Resolved
    0 votes
    Hi Dirk Albring

    I checked 000-base.conf for that line and sure enough it is there and enabled.

    Then, I deleted everything in my .htaccess file and replace it with the code I have in my post.

    Then, I checked my webconfig to make sure Let's Encrypt is selected and it is.

    Then, just to be sure. I decided to completely shutdown the browser and start it back up again.
    Then, I simply typed in my domain name and hit enter.

    Unfortunately, my browser still says the same thing.

    Forbidden. You don't have a permission to view.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 04:26 PM - #Permalink
    Resolved
    0 votes
    Hi Nick and Dirk,

    Nick, I copied and pasted your .htaccess code as is. Then, try to open my website. It is still the same. It pops up with FORBIDDEN message.

    I did check the firewall allowed incoming connections and I saw the following which is the ONLY set up I saw for HTTPS in the list of connections.
    http://rel-tek.com/CareyLynnMorgan.png

    Dirk, My browser is set to clear cookies and cache every time I close or shutdown my browser (firefox). So, I did completely close my browser and tested it. It still displayed FORBIDDEN.
    Here is what is in my /etc/httpd/conf.d/flex-80.conf and flex-443.

    flex-80.conf

    http://www.rel-tek.com/CareyLynnMorgan2.png

    flex-443.conf

    #----------------------------------------------------------------
    # WARNING: This file is automatically created by webconfig.
    #----------------------------------------------------------------


    # Authentication mechanism
    DefineExternalAuth pwauth pipe /usr/bin/pwauth
    DefineExternalGroup pwauth pipe /usr/bin/unixgroup

    # -----------------------------------------------#
    # Web Site
    # -----------------------------------------------#

    <VirtualHost *:443>
    ServerName rel-tek.com
    ServerAlias reltek.com ftp.rel-tek.com mail.rel-tek.com
    DocumentRoot /var/www/html
    ErrorLog /var/log/httpd/error_log
    CustomLog /var/log/httpd/access_log combined
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/www.rel-tek.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.rel-tek.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/www.rel-tek.com/chain.pem
    # No weak export crypto allowed
    SSLHonorCipherOrder on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!3DES:!aNULL:!MD5
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    </VirtualHost>
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 05:45 PM - #Permalink
    Resolved
    0 votes
    Hi,

    I did change the read write execute permission on the .htaccess file after updating the file with Nick's code. Then, tried to access the website, it is still popping up with Forbidden.

    Nick, HTTPS encryption part works. You can access our website both ways... However, I want to force HTTPS when a visitor tries to enter the website by either https or http to HTTPS ONLY. The .htaccess code for some reason won't work and I have tried different variation of that code with the same result. Right now, I got nothing in my .htaccess file that's why you are able to access the website.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 06:48 PM - #Permalink
    Resolved
    0 votes
    Nick! :) Yes, that was it.... :) The only thing that was not enabled was "Follow Symlinks / Allow Rewrite." Once I enabled, it works with your .htaccess code. :) AWESOME!!! Now, I need to find out why some of my pages are deemed to be unsafe and fix them...

    Thank you so much for all the help, Nick and Dirk. :)
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 06:59 PM - #Permalink
    Resolved
    0 votes
    Good catch Nick. I have both parameters enabled for my site and https is forced no matter the page.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 04 2019, 01:53 PM - #Permalink
    Resolved
    0 votes
    Hi Ben,

    Yes, you are right, but if you have certain items on your webpage like say JAVASCRIPT and it can't block them browser will flag that web page as unsafe. For instance, on some of my web pages I had JavaScript for slideshows and direct links to images and other webpages using HTTP. Those webpages were flagged as unsafe and the browser said "Unsecure Connection." Once I painstakingly went through page by page and removed or fixed all those offending items, browser reported secure connection. So, even though I had HTTPS working with Dirk and Nick's helps, I still needed to cleanup my webpages for HTTPS to work on our website.
    The reply is currently minimized Show
Your Reply