[BlueOnyx:27045] Re: 5209R to 5210R, 2 things noticed

Thu Jun 13 04:16:03 -05 2024

Hi Michael,

2024-05-30 05:32 に Michael Stauber via Blueonyx さんは書きました:
>>>> 5209R
>> http -> http
>
> Sadly that's not possible if the error page is served by the GUI. On 5210R and 5211R the GUI only runs on HTTPS and HTTP there is just a redirect to HTTPS.
>
> If it needs to be HTTP -> HTTP then I have to get a bit creative. Like proxying the HTTPS error page via HTTP. Which is not a thrilling proposition, as HTTP -> HTTPS proxy via Apache is terrible. Or create a static HTML page that's being served. The latter sure is an option and much easier.
>
> I'll think about something.

I checked the flow.

When Vsite is suspended, suspended.site is d--------- by
handlers/base/vsite/suspend.pl

# ls -ald /home/sites/*/
d--------- 5 root root 44  6月 10 13:11 /home/sites/suspended.site/

Hits below.
/etc/httpd/conf.perl/00-default-vsite.pl
 92 $gui_url_rewrites = "    RewriteEngine On\n";
 93 $gui_url_rewrites .= '    RewriteCond %{HTTP_HOST}
^([^:]+)' . "\n";
 94 $gui_url_rewrites .= '    RewriteCond %{DOCUMENT_ROOT}
!-d' . "\n";
 95 $gui_url_rewrites .= '    RewriteRule .*
https://%1:' . $GUI_PORT . '/gui/Forbidden403 [L,R]' . "\n";

By app.forceGlobalSecureRequests = true of /usr/sausalito/ui/chorizo/ci4/.env
chorizo/ci4/vendor/codeigniter4/framework/system/CodeIgniter.php::force_https
is called.

We considered not applying forceGlobalSecureRequests only to error
pages, but decided on a simpler approach.

--- /etc/httpd/conf/httpd.conf.orig   2024-06-10 03:17:51.276566341 +0900
+++ /etc/httpd/conf/httpd.conf  2024-06-13 17:45:06.614283665 +0900
@@ -335,6 +336,8 @@
 #EnableMMAP off
 EnableSendfile on

+Include /etc/httpd/conf/static_forbidden.conf
+
 # Supplemental configuration
 PerlConfigRequire /etc/httpd/conf.perl/00-default-vsite.pl
 #

# cat /etc/httpd/conf/static_forbidden.conf
RewriteEngine On
RewriteCond %{HTTP_HOST}      ^([^:]+)
RewriteCond %{DOCUMENT_ROOT}  !-d
RewriteRule ^                 - [L,F]

% env lwp-request -S http://suspended.site/
GET http://suspended.site/
403 Forbidden
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle
the request.</p>
</body></html>


>>>> 5210R
>>>>       % lwp-request -Sd http://suspended.site/
>>>>       GET http://suspended.site/
>>>>       302 Found
>>>>       GET https://suspended.site:81/gui/Forbidden403
>>              ^^^^^
>>>>       500 Can't connect to suspended.site:81 (hostname verification failed)
>
> Like said: That can be fixed in "Server Management" / "Maintenance" / "Server Desktop". Set the "Redirect to Server-Name" to enabled and save.
>
> But yeah: This shouldn't have been an issue to begin with.

This would give away the name of the real site even if they just came
to access the virtual site.



We have been preparing for the transition from 5209R to 5210R so as
not to impose a burden on users, but it appears that we are in the
final stages.

Thanks

