I've got a website that I want to always be served in https. The site is load balanced using Apache.
The Apache load balancer is configured basically like so:
<Proxy balancer://mycluster>
BalancerMember http://server1 route=server1
BalancerMember http://server2 route=server2
</Proxy>
Note that all http requests are being rewritten to https requests fine using mod rewrite as well.
The thing I'd like to do is ensure that any http 302 Location headers from server 1 or server 2 are rewritten and sent as https 302 redirect headers.
e.g.
If a response from server 1 had the following as a header:
Location: http://server1/test
I'd like it to be rewritten securely as
Location: https://server1/test
This would avoid the request being sent to the client, and the client then sending the http request, which gets rewritten to https, and would also avoid any security issues of responses being sent over http.
How can I do this?
You can't do this with mod_rewrite, as that is only for requests.
Further, operating on Location is not a 100% solution (that it would be pretty high), as it won't capture things like HTTP meta-refresh (not very common these days...), or instances where the URL is generated using client-side solutions (eg. Javascript, embedded content).
Thus, the desire you propose, while useful, must be treated as an optimisation only.
There could also be sensitivities at the application-end of things. Without knowing anything your application, here are some potential things-to-consider:
You could perhaps do this with mod_header though, which can manipulate response headers. See http://httpd.apache.org/docs/2.2/mod/mod_headers.html
I haven't tested that at all, note that a condition can be specified before the
edit
keyword.Hope it helps, Cameron
While not directly an answer to this question, the following Apache configuration change is what I used to solve the problem:
Using this made it so the nodes in the load balancer understood to rewrite their absolute
http
urls tohttps
urls when the above header was passed in.This was implied by this ServerFault post, which ultimately led to this in the Jetty docs, which solved the problem!