⚓ T95164 Apache slash expansion should not redirect from HTTPS to HTTP

Subject	Repo	Branch	Lines +/-
doc: fix Apache redirects to use https	operations/puppet	production	+2 -12
integration: Apache turn DirectorySlash Off	operations/puppet	production	+6 -0
doc.wikimedia.org: fix DirectorySlash https->http	operations/puppet	production	+5 -1

Krinkle created this task.Apr 6 2015, 12:26 PM

Krinkle raised the priority of this task from to Needs Triage.

Krinkle updated the task description. (Show Details)

Krinkle added projects: Wikimedia-Apache-configuration, acl*sre-team.

Krinkle subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 6 2015, 12:26 PM

Krinkle mentioned this in rCIDR3530b851e919: Page: Use trailing slash to avoid redirect overhead.Apr 6 2015, 12:28 PM

Krinkle renamed this task from Apache slash expansion incorrectly redirects from HTTPS to HTTP to Apache slash expansion should not redirect from HTTPS to HTTP.Apr 6 2015, 12:39 PM

Krinkle set Security to None.

Andrew triaged this task as High priority.Apr 11 2015, 9:29 PM

Glaisher subscribed.Apr 13 2015, 5:18 PM

Krinkle mentioned this in T66627: lighttpd redirects URLs of directories without a trailing slash from https to http.Apr 23 2015, 4:23 AM

Change 206460 had a related patch set uploaded (by Dzahn):
integration: Apache turn DirectorySlash Off

https://gerrit.wikimedia.org/r/206460

gerritbot added a project: Patch-For-Review.Apr 24 2015, 9:11 PM

so either we just turn of DirectorySlash or if we care to keep it, we additionally add "manual" rewrite rules to replace that feature but with the right protocol. (RewriteCond %{REQUEST_FILENAME} -d .. RewriteRule ^(.+[^/])$ https://www.example.com/$1/ [R=301,L,QSA] )

Dzahn claimed this task.Apr 24 2015, 9:29 PM

Change 206832 had a related patch set uploaded (by Dzahn):
doc.wikimedia.org: fix DirectorySlash https->http

https://gerrit.wikimedia.org/r/206832

Dzahn lowered the priority of this task from High to Medium.Apr 29 2015, 1:58 AM

Change 206832 merged by Dzahn:
doc.wikimedia.org: fix DirectorySlash https->http

https://gerrit.wikimedia.org/r/206832

Dzahn mentioned this in rOPUP07c7f447ad3b: doc.wikimedia.org: fix DirectorySlash https->http.May 4 2015, 9:59 PM

fixed on doc.wm:

before: curl -vv https://doc.wikimedia.org/mediawiki-core
The document has moved <a href="http://doc.wikimedia.org/mediawiki-core/">here</a>

after: curl -vv https://doc.wikimedia.org/mediawiki-core
< HTTP/1.1 200 OK

Change 206460 merged by Dzahn:
integration: Apache turn DirectorySlash Off

https://gerrit.wikimedia.org/r/206460

Dzahn mentioned this in rOPUPf7c61c084223: integration: Apache turn DirectorySlash Off.May 4 2015, 11:35 PM

reverted on integration:

same config that works on doc.wm , but here:

after:
<h1>Forbidden</h1>
<p>You don't have permission to access /cover/cdb

back to:

curl -vv https://integration.wikimedia.org/cover
<p>The document has moved <a href="http://integration.wikimedia.org/cover/">here</a>.</p>

Is this due to .htaccess files that don't come from puppet competing with the global Apache config?

TLDR: i fixed it on doc.wikimedia.org but it should still be fixed on integration.wikimedia.org

• jcrespo removed a project: Patch-For-Review.Sep 8 2015, 10:35 AM

Restricted Application added a subscriber: Matanya. · View Herald TranscriptSep 8 2015, 10:35 AM

elukey subscribed.Feb 1 2016, 4:24 PM

hashar mentioned this in T139620: Move CI coverage reports out of integration.wikimedia.org to a new domain or doc.wm.o.Jul 19 2016, 8:23 PM

Krinkle unsubscribed.Jul 19 2016, 9:31 PM

elukey moved this task from Backlog to R&D needed on the Wikimedia-Apache-configuration board.Nov 16 2016, 9:16 PM

elukey moved this task from R&D needed to Testing needed on the Wikimedia-Apache-configuration board.

This comment has been deleted.

Dzahn added a project: Continuous-Integration-Infrastructure.Nov 17 2016, 12:03 AM

Dzahn added subscribers: hashar, thcipriani.

Nowadays:

curl https://integration.wikimedia.org/cover/cdb
<p>The document has moved <a href="https://doc.wikimedia.org/cover/cdb">here</a>.</p>

curl http://integration.wikimedia.org/cover/cdb/
... (nothing?) but in browser i get https://doc.wikimedia.org/cover/cdb/

curl https://integration.wikimedia.org/cover/cdb/
<p>The document has moved <a href="https://doc.wikimedia.org/cover/cdb/">here</a>.</p>

So it redirects to doc.wm.org and there is no more HTTPS to HTTP here

Dzahn closed this task as Resolved.Dec 22 2016, 8:39 PM

zhuyifei1999 mentioned this in T132136: Pywikibot documentation showing broken directory listing.Mar 23 2018, 1:27 AM

hashar mentioned this in T213509: doc.wikimedia.org urls without trailing slash respond with HTTP 403 Forbidden.Jan 11 2019, 7:54 AM

Change 483775 had a related patch set uploaded (by Hashar; owner: Hashar):
[operations/puppet@production] doc: fix redirect of dir lacking a trailing slash

https://gerrit.wikimedia.org/r/483775

gerritbot added a project: Patch-For-Review.Jan 11 2019, 3:05 PM

Change 483775 merged by Dzahn:
[operations/puppet@production] doc: fix Apache redirects to use https

https://gerrit.wikimedia.org/r/483775

DirectorySlash redirecting to http instead of canonical https is Upstream Apache bug 61355 - DirectorySlash directive should use protocol in X-Forwarded-Proto header when available. We fixed it by adding the protocol scheme in the ServerName: ServerName https://doc.wikimedia.org.

Apache slash expansion should not redirect from HTTPS to HTTP
Closed, ResolvedPublic
Actions

Description

Details

Related Objects

Event Timeline

Apache slash expansion should not redirect from HTTPS to HTTPClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Apache slash expansion should not redirect from HTTPS to HTTP
Closed, ResolvedPublic
Actions