[HTTP] Rewriting HTTP (port 80) requests to HTTPS (port 443)

Rewriting HTTP (port 80) requests to HTTPS (port 443)

Problem(Abstract)

The rewrite module (mod_rewrite.c) provided with the IBM® HTTP Server can be used as an effective way to automatically rewrite all HTTP requests to HTTPS.

Resolving the problem

Notes:

1. The web server and WebSphere® plug-in must already be configured to handle HTTPS requests successfully before attempting to implement the following suggestions. If they are not, first configure the Web server and WebSphere plug-in for HTTPS, then confirm SSL is working before you proceed. Also, if you are running the IBM HTTP Server on a UNIX® platform, the rewrite module must be uncommented in the httpd.conf file.
2. Always backup the following files before making changes:
   • httpd.conf
   • plugin-cfg.xml
   • vhosts.properties

For releases of IBM HTTP Server V1.3.12, 1.3.19, 1.3.26, 1.3.28:

LoadModule rewrite_module    libexec/mod_rewrite.so​ ​AddModule mod_rewrite.c​

For releases of IBM HTTP Server V2.0x, 6.0x, 6.1x and 7.0x:

LoadModule rewrite_module    modules/mod_rewrite.so​

The rewrite module (mod_rewrite.c) can be used as an effective way to automatically rewrite all HTTP (port 80) requests to HTTPS (port 443). This provides an effective way to ensure that all traffic to and from the IBM HTTP Server is encrypted over the Secure Sockets Layer (SSL) without having to use individual redirects or hard-coded HTTPS links.

1. Add the following to the global scope or any port 80 VirtualHost stanzas defined within the httpd.conf configuration file.
   
   

   RewriteEngine on​ RewriteCond %{SERVER_PORT} =80​ RewriteRule ^(.*) ​https://​%{SERVER_NAME}%{REQUEST_URI}​

2. If you use the WebSphere plug-in, remove any port 80 VirtualHost attribute in the WebSphere plug-in configuration file. By doing so, any matching URI on port 80 is rejected by the plug-in and handled by the Web server's default-handler. At this point the RewriteEngine is able to rewrite the URL to HTTPS and is handled by the WebSphere plug-in's port 443 VirtualHost attribute associated with the requested URL.
   
   Examples: (Port 80 VirtualHost attributes)
   1. WebSphere Application Server V4, V5, V6 and V7:
      
      plugin-cfg.xml
      
      

      <VirtualHostGroup Name="default_host">​    <VirtualHost Name="*:80"/>​ </VirtualHostGroup>​

   2. WebSphere Application Server V3.5:
      
      vhosts.properties
      
      

      123.45.67.89=default_host​ ​www.sitename.com=default_host​ 127.0.0.1\:80=default_host​

3. Recycle both the IBM HTTP Server and WebSphere Application Server after making the preceding changes.

Important: If using HTTP authentication, make sure it is only configured for your SSL virtual host. If it also applies to your port 80 requests, the authentication challenge can pre-empt the rewrite, resulting in user IDs and passwords being sent over an unencrypted session.

It is also recommended that you configure your port 80 virtual host with a different document root and so on, from your SSL virtual host. This is to be sure that even if your rewrite fails, sensitive information cannot be served from that virtual host over unencrypted sessions.

Related information

Module mod_rewrite..URL Rewriting Engine