HTTPS Redirect Web GUI
-
Is there any way to write a port 80 > 443 redirect affecting only the web gui? Due to my customers security requirements i need a redirect to ssl secured port 443 for web gui. But i know the fog client stops working and that’s an entirely different beast. I tried adding the redirect shown here which worked for web gui but then didn’t allow ipxe boot to work and got error with “Operation Permitted”. I imagine just like stated in this previous post has to do with redirect. Any advice on a redirect only affecting web gui?
-
I have such a redirect
<VirtualHost *:80> <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> KeepAlive Off ServerName ip.of.fog.server ServerAlias hostnameOfFogServer DocumentRoot /var/www/html/ <Directory /var/www/html/fog/> DirectoryIndex index.php index.html index.htm </Directory> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L] </VirtualHost>
This is assuming you have your cert configured in ssl.conf too.
I’m running centos with httpd as that might make a difference if you’re running debian based apache -
@JJ-Fullmer Does this affect you pxe booting into fog from asset? I do have SSL configured cert on https port for web gui.
-
@cul3r0 It does not, that configuration is elsewhere. If you enabled https support at install then you have to do something special to get that disabled for pxe because it embeds the self-signed cert made at install into the on-the-fly pxe compilation process.
-
@JJ-Fullmer so i didn’t notice but thats the same original file. Your config is the one i have but Nessus vuln scanner and curl command as well do not have a redirect going from http to https. We do get a 302 redirect but unfortunately its redirecting back to http
-
This is the result from Nessus Vulnerability scanner when it comes to port 80 “not redirecting” to https 443
-
@cul3r0 The https redirect is actually only working for me if I go to the fqdn on http, i.e. http://fog-server.domain.tld will redirect to https but http://fog-server will not redirect.
I’m pretty sure it’s possible to adjust the rules to redirect everything to the fqdn on https. You can probably mess with the rules to make it rewrite anything to go the the fqdn on https -
@JJ-Fullmer said in HTTPS Redirect Web GUI:
https redirect
I had this issue, but wanted to add to the Copilot answer that works on RHEL 8.10 running the latest Apache and FOG 1.5.10.1634 (this assumes you installed FOG with NO HTTPS option, in other words HTTPS disabled by default):
To redirect all HTTP requests on port 80 to HTTPS on port 443 using your provided certificate and key, you can use the following configuration:
Create a new configuration file in the /etc/httpd/conf.d/ directory, for example, redirect.conf:
<VirtualHost *:80> ServerName ip.of.fog.server ServerAlias hostnameOfFogServer RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] </VirtualHost>
Update your SSL configuration in the /etc/httpd/conf.d/ssl.conf file to include your certificate and key:
<VirtualHost *:443> ServerName ip.of.fog.server ServerAlias hostnameOfFogServer DocumentRoot /var/www/html/ SSLEngine on SSLCertificateFile /opt/fog/ssl/UNIQUE-FOR-ME/MYCERT.cer SSLCertificateKeyFile /opt/fog/ssl/UNIQUE-FOR-ME/MYCERT.key <Directory /var/www/html/fog/> DirectoryIndex index.php index.html index.htm AllowOverride All Require all granted </Directory> <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L] </VirtualHost>
Restart Apache to apply the changes:
sudo systemctl restart httpd
This configuration will redirect all HTTP requests to HTTPS and use the provided certificate and key for SSL. Make sure to replace ip.of.fog.server and hostnameOfFogServer with your actual server IP and hostname.
Lastly, When enrolling a cert I used the FQDN and plain hostname as a “Subject Alternative Name”. For my company, this means internal use only (.pvt). This takes care of both redirects (prob could have also talked to the DNS team to redirect the hostname to the FQDN eg hostname.blah.pvt as well. But it’s better (and faster) in the cert if you can do it that way.