[BlueOnyx:22010] Re: Issues with default web site 5209R

Michael Stauber mstauber at blueonyx.it
Fri May 4 12:48:21 -05 2018 

Hi Sven,

I saw your ticket last night, but didn't get to it any sooner than this.
So let's talk about it here.

> We have *site1* that was acting as default Web site.
> 
> The site has a cgi/perl script that performs Cloacked URL redirects for
> URLs supported by the script (using MySQL Db). Since the yum update this
> no longer works, these URLS are redirected towards the BlueOnyx GUI
> Login page.

Correct. This is the new default behavior on BlueOnyx. We were having
tons of issues with Apache recently where HTTPS and HTTP requests were
arbitrarily ending up at where they shouldn't end up in first place.

Part of this is due to SNI, which allows us to use SSL on multiple
Vsites on the same IP. Now if someone uses HTTPS to connect to a Vsite
that doesn't have HTTPS, then the server will serve the certificate of
one of the Vsites that has SSL enabled on that IP. Depending on how
redirects are handled, it might even redirect the connection to the
other Vsites. It gets even more fishy if the first Vsite doesn't have
SSL enabled, but a later Vsite on the same IP does.

At the end of the day you end up with a real clusterfuck that's really
confusing the hell out of everyone and makes nobody happy.

That's why that update was introduced back then. In httpd.conf you now
do have this line:

PerlConfigRequire /etc/httpd/conf.perl/00-default-vsite.pl

That Perl script generates <VirtualHost> containers on the fly, which
are loaded before any other <VirtualHost> containers and therefore take
precedence.

On 5207R/5208R you get two new <VirtualHost> containers:

1.) A primary <VirtualHost> for HTTP that redirects to the GUI.

2.) A primary <VirtualHost> for HTTPS that redirects to the GUI.

On 5209R you also get new primary <VirtualHost>'s (HTTP and HTTPS) for
every IP that's bound to the server. All of them redirect to the GUI.

That way we get a new standard-behavior: Direct IP access? Redirect to
GUI. HTTPS access to a VSite that has no SSL enabled? Redirect to the GUI.

No more confusion, as we now have a defined standard-behavior.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list