In RT_Config, it looks like you shouldn’t even have to specify
WebBaseURL - it appears to look to see if WebPort is 443 and changes
it to https accordingly.On Wed, May 16, 2012 at 11:20 AM, Giles Coochey giles@coochey.net wrote:
Further reading in RT_Config suggests you may need to look at this:
=item C<$CanonicalizeRedirectURLs>
Set C<$CanonicalizeRedirectURLs> to 1 to use C<$WebURL> when
redirecting rather than the one we get from C<%ENV>.
Apache’s UseCanonicalName directive changes the hostname that RT
finds in C<%ENV>. You can read more about what turning it On or Off
means in the documentation for your version of Apache.
If you use RT behind a reverse proxy, you almost certainly want to
enable this option.
=cut
Set($CanonicalizeRedirectURLs, 0);On Wed, May 16, 2012 at 11:24 AM, Paul Tomblin ptomblin@xcski.com wrote:
In RT_Config, it looks like you shouldn’t even have to specify
WebBaseURL - it appears to look to see if WebPort is 443 and changes
it to https accordingly.
On Wed, May 16, 2012 at 11:20 AM, Giles Coochey giles@coochey.net wrote:
In RT_Config, it looks like you shouldn’t even have to specify
WebBaseURL - it appears to look to see if WebPort is 443 and changes
it to https accordingly.
Yes, it is doing that automatically (I have not specified WebBaseURL).
But it reverts me to http after logging in via https
Further reading in RT_Config suggests you may need to look at this:
=item C<$CanonicalizeRedirectURLs>
Set C<$CanonicalizeRedirectURLs> to 1 to use C<$WebURL> when
redirecting rather than the one we get from C<%ENV>.
Apache’s UseCanonicalName directive changes the hostname that RT
finds in C<%ENV>. You can read more about what turning it On or Off
means in the documentation for your version of Apache.
If you use RT behind a reverse proxy, you almost certainly want to
enable this option.
=cut
Set($CanonicalizeRedirectURLs, 0);
Thanks!!! Just tried it and that looks a lot more promising.
Have you tried use mod_rewrite to rewrite the all traffic for that
virtual host to https?
Stubs of the config’s for your RT virtual host. They http vhost only
needs to have the basic’s defined, the rewrite rules will push
everything to https.
...
...
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=301]
...
...
Order allow,deny
Allow from all
SetHandler modperl
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /usr/sbin/rt-server
<Perl>
use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload("/usr/sbin/rt-server");
</Perl>
…
…
Darin Perusich
Email: Darin.Perusich@ctg.com
Office: 716-888-3690
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the
intended recipient is prohibited. If you are not the intended recipient of this
message, please contact the sender and delete this material from this computer.
Have you tried use mod_rewrite to rewrite the all traffic for that
virtual host to https?
Stubs of the config’s for your RT virtual host. They http vhost only
needs to have the basic’s defined, the rewrite rules will push
everything to https.
...
...
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=301]
...
...
Order allow,deny
Allow from all
SetHandler modperl
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /usr/sbin/rt-server
<Perl>
use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload("/usr/sbin/rt-server");
</Perl>
…
…
I can’t do that, the actual RT Apache Server runs on port 80, so the
rewrite condition is always false.
The Reverse Proxy Director runs on port 8080
The Squid SSL-offload caching proxy runs on 443 & 80
So RT needed to act as if it was running on 443, but it didn’t do any
SSL itself.
The problem seemed to be this setting, as mentioned by Paul.
Set($CanonicalizeRedirectURLs, 1);
Now it appears to work. If I wanted to do what you suggested I’d need to do the equivalent in Squid config, I think.
Also, I don’t mind it being available on HTTP, I just don’t want it bouncing back to HTTP if I log in with HTTPS.
Might be of interest, if your regular users use firefox, Chrome or Opera.
The other option:
Set up another virtual host on the apache box that only serves a redirect to the https side.
On the proxy, direct port 80 to that one, and leave 443 pointing at the RT instance.
Have you tried use mod_rewrite to rewrite the all traffic for that
virtual host to https?
Stubs of the config’s for your RT virtual host. They http vhost only
needs to have the basic’s defined, the rewrite rules will push
everything to https.
...
...
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=301]
...
...
Order allow,deny
Allow from all
SetHandler modperl
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /usr/sbin/rt-server
<Perl>
use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload("/usr/sbin/rt-server");
</Perl>
…
…
I can’t do that, the actual RT Apache Server runs on port 80, so the
rewrite condition is always false.
The Reverse Proxy Director runs on port 8080
The Squid SSL-offload caching proxy runs on 443 & 80
So RT needed to act as if it was running on 443, but it didn’t do any
SSL itself.
The problem seemed to be this setting, as mentioned by Paul.
Set($CanonicalizeRedirectURLs, 1);
Now it appears to work. If I wanted to do what you suggested I’d need to do the equivalent in Squid config, I think.
Also, I don’t mind it being available on HTTP, I just don’t want it bouncing back to HTTP if I log in with HTTPS.
This email has been scanned by Westcoastcloud.
BiP Solutions Limited is a company registered in Scotland with Company
Number SC086146 and VAT number 383030966 and having its registered
office at Medius, 60 Pacific Quay, Glasgow, G51 1DZ.
In order to improve the quality of the service we offer, calls may be recorded
for quality management and training purposes.
This e-mail (and any attachment) is intended only for the attention of
the addressee(s). Its unauthorised use, disclosure, storage or copying
is not permitted. If you are not the intended recipient, please destroy
all copies and inform the sender by return e-mail.
This e-mail (whether you are the sender or the recipient) may be
monitored, recorded and retained by BiP Solutions Ltd.
E-mail monitoring/ blocking software may be used, and e-mail content may
be read at any time.You have a responsibility to ensure laws are not
broken when composing or forwarding e-mails and their contents.
All traffic on my RT instance is done via HTTPS. I also have an Apache
rewrite rule in case someone navigates to HTTP instead (as users often do).
You don’t need this. WebDomain, WebPort and WebPath is enough in most cases.
As documentation in versions says you set WebBaseURL or other options only
in very specific cases, for example when you want to server RT over HTTPS
from port 10000.
Topic starter needs CanonicalizeRedirectURLs option. He uses reverse proxy. By
default for redirects RT guesses a few bits from ENV variables (set by
web server).
This allows you to run the same RT instance with multiple entry points. However,
if you have something in front of RT then this guessing doesn’t work.
All traffic on my RT instance is done via HTTPS. I also have an
Apache
rewrite rule in case someone navigates to HTTP instead (as users
often do).
You don’t need this. WebDomain, WebPort and WebPath is enough in most
cases.
As documentation in versions says you set WebBaseURL or other options
only
in very specific cases, for example when you want to server RT over
HTTPS
from port 10000.
Topic starter needs CanonicalizeRedirectURLs option. He uses reverse
proxy. By
default for redirects RT guesses a few bits from ENV variables (set
by
web server).
This allows you to run the same RT instance with multiple entry
points. However,
if you have something in front of RT then this guessing doesn’t work.
And just to confirm, for the reverse SSL offloading proxy case the:
Set($CanonicalizeRedirectURLs, 1);
Option in RT_SiteConfig.pm works just right, my pages stay on https
throughout the session.