Home / server / Questions / 472340
Accepted
rwired
Asked: 2013-01-26 02:47:41 +0800 CST

Apache mod_substitute not working over SSL

  • 772

I am migrating a websserver, and have ran into a problem with Apache mod_substitute. On the old server everything worked fine, the correct substitutions being made both for HTTP and HTTPS requests.

On the new server, the substitutions only get made for HTTP requests. The new server has the same file-structure as the old one, and the same OS (CentOS 5.6). There are some differences in the Apache config between servers, but I can't figure out what may be causing the problem. I've tried LogLevel debug but nothing useful.

Some conf files to see differences: (comments removed to save space)

OLD SERVER (Works)

conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/etc/httpd/logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/etc/httpd/logs/ssl_mutex
</IfDefine>

NEW SERVER (mod_substitute no action for https:// requests)

conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

Relevant VHosts section (same on both servers), https:// pages page do display (and the certificate info is correct), only mod_substitute fails to convert .com links into .de links on the new server (whereas on the old server it worked fine). 

<VirtualHost 10.0.0.11:443>
  SuexecUserGroup myuser myuser

  DocumentRoot /home/myuser/mydomain.de/html
  ServerName mydomain.de

  ServerAlias www.mydomain.de ftp.mydomain.de mail.mydomain.de
  ServerAdmin [email protected]

  # subdomain logic
  RewriteEngine On
  RewriteOptions inherit
  RewriteCond %{HTTP_HOST} !^www\.mydomain\.de [NC]
  RewriteCond %{HTTP_HOST} !^mydomain\.de [NC]
  RewriteCond %{HTTP_HOST} ^([A-Z0-9a-z-.]+)\.mydomain\.de [NC]
  RewriteCond %{DOCUMENT_ROOT}/%1 -d
  RewriteRule ^(.+) %{HTTP_HOST}/$1 [C]
  RewriteRule ^([0-9A-Za-z-.]+)\.mydomain\.de/?(.*)$ %{DOCUMENT_ROOT}/$1/$2 [L]

  RewriteCond %{HTTP_HOST} ^www\.([A-Z0-9a-z-.]+)\.mydomain\.de [NC]
  RewriteCond %{DOCUMENT_ROOT}/%1 -d
  RewriteRule ^(.+) %{HTTP_HOST}/$1 [C]
  RewriteRule ^www\.([0-9A-Za-z-.]+)\.mydomain\.de/?(.*)$ %{DOCUMENT_ROOT}/$1/$2 [L]
  # end subdomain logic

  LogLevel debug
  ErrorLog /home/myuser/var/mydomain.de/logs/error_ssl.log
  CustomLog /home/myuser/var/mydomain.de/logs/transfer.log combined

  # php: default  don't edit between this and the "end php" comment below
  <IfModule mod_suphp.c>
    suPHP_Engine On
    suPHP_UserGroup myuser myuser
    AddHandler x-httpd-php .php
    suPHP_AddHandler x-httpd-php .php
    suPHP_ConfigPath /home/myuser/etc
  </IfModule>

  <IfModule !mod_suphp.c>
    <IfModule mod_php5.c>
      php_admin_flag engine On
    </IfModule>
    <IfModule mod_php4.c>
      php_admin_flag engine On
    </IfModule>
  </IfModule>
  # end php

  # cgi: 1 don't edit between this and the "end cgi" comment below
  <Directory /home/myuser/mydomain.de/html>
    AllowOverride  All
  </Directory>

  <Location />
    Options +ExecCGI
  </Location>
  ScriptAlias /cgi-bin/ /home/myuser/mydomain.de/html/cgi-bin/
  # end cgi

  <IfModule mod_substitute.c>
    <Location />
      AddOutputFilterByType SUBSTITUTE text/html
      Substitute "s|http://www.mydomain.com/|http://www.mydomain.de/|niq"
      Substitute "s|http://www.mydomain.com|http://www.mydomain.de/|niq"
      Substitute "s|http://mydomain.com/|http://www.mydomain.de/|niq"
      Substitute "s|http://mydomain.com|http://www.mydomain.de/|niq"
      Substitute "s|https://www.mydomain.com/|https://mydomain.de/|niq"
      Substitute "s|https://www.mydomain.com|https://mydomain.de/|niq"
      Substitute "s|https://mydomain.com/|https://mydomain.de/|niq"
      Substitute "s|https://mydomain.com|https://mydomain.de/|niq"
    </Location>
  </IfModule>

 #.com.au is the primary (CN) certificate for all country domains (multi-domain certificate)
 SSLEngine on
  SSLCipherSuite SSLv3:HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW
  SSLCACertificatePath /home/myuser/var/mydomain.com.au/ssl
  SSLCertificateKeyFile /home/myuser/var/mydomain.com.au/ssl/mydomain.com.au.priv.key
  SSLCertificateFile /home/myuser/var/mydomain.com.au/ssl/mydomain.com.au.crt
  SSLCACertificateFile /home/myuser/var/mydomain.com.au/ssl/mydomain.com.au.chain.crt
  SSLOptions +ExportCertData +StrictRequire
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
linux

1 Answers

  1. Best Answer

    The problem was fixed by upgrading Apache to 2.2.23 (it was 2.2.3).

    The yum repros on the new server were not enabled to allow upgrade beyond 2.2.3-76.el5.centos, after finding the correct repro to enable and upgrading, the SSL problem was fixed. It was not a configuration file issue.

    • 0