• HTTP to HTTPS redirection uses wrong URI for wildcard certs


    ptr727
    • Solved Minor

    Unraid 6.7.0

    Server name is Server-2, local TLD is set to "home.insanegenius.net".

    Static IP, DNS entry for server-2.home.insanegenius.net.

     

    I am using my own wildcard certificate for *.home.insanegenius.net.

    CN = *.home.insanegenius.net
    OU = PositiveSSL Wildcard
    OU = Domain Control Validated

     

    I copy my PEM file to config/ssl/certs/certficate_bundle.pem

    This server is called server-2.home.insanegenius.net.

     

    When I access https://server-2.home.insanegenius.net all is well, and it uses the *.home.insanegenius.net certificate as expected.

    When I access http://server-2.home.insanegenius.net, I get a 302 redirect, and the browser tries to open https://%2A.home.insanegenius.net/.

     

    I use Google Chrome developer tools, and I can see the 302 redirect as follows:

    Request:
    Request URL: http://server-2.home.insanegenius.net/
    Request Method: GET
    Status Code: 302 Moved Temporarily
    Remote Address: 192.168.1.36:80
    Referrer Policy: no-referrer-when-downgrade
    
    Response:
    Connection: keep-alive
    Content-Length: 154
    Content-Type: text/html
    Date: Thu, 16 May 2019 15:56:28 GMT
    Location: https://*.home.insanegenius.net:443/
    Server: nginx

    Nginx incorrectly returns an invalid URI, "https://*.insanegenius.net:443" instead of the correct "https://server-2.home.insanegenius.net". 

     

    When I look in the Nginx emhttp-servers.conf file, I can see that whatever code created this config, created an invalid 302 redirect value.

    server {
        #
        # Redirect http requests to https
        #
        listen *:80 default_server;
        listen [::]:80 default_server;
        return 302 https://*.home.insanegenius.net:443$request_uri;
    }

     

    It looks like the logic incorrectly uses the SSL cert CN instead of the server FQDN.

    The logic should be fixed, or can be avoided by using something generic like "return 302 https://$host$request_uri;"

    • Upvote 1



    User Feedback

    Recommended Comments

    I don't use wildcard certs so I can't fully test this myself, but give this a shot:

     

    • SSH to the server (don't use the web console for this, either use SSH or an actual console)
       
    • Type this to temporarily modify rc.nginx:
      sed -i '/HOSTSSL=$(openssl/a HOSTSSL=${HOSTSSL/\\*/$HOSTNAME}' /etc/rc.d/rc.nginx

      This adds a new line to the script that says if the HOSTSSL variable contains a '*', replace '*' with the server's HOSTNAME. If it doesn't contain a '*', do nothing. That should change '*.home.insanegenius.net' to 'server-2.home.insanegenius.net'
       

    • Type this to restart nginx with the new config file (again, don't issue this command if you are using the web console):
      /etc/rc.d/rc.nginx restart

       

    • Once that is done, please let me know the output of these commands, just to verify it did what I expect:
      hostname -s
      grep HOSTSSL /etc/rc.d/rc.nginx
      grep 302 /etc/nginx/conf.d/emhttp-servers.conf

       

    • If everything worked, when you visit either of these:
        http://server-2.home.insanegenius.net
        http://<IP Address>
      It should redirect you to:
        https://server-2.home.insanegenius.net
       
    • If you want to undo the change at this point, just reboot. Up until now, the change we made will not survive a reboot.

       
    • To make the change permanent, edit the /config/go file in the "flash" share (use a good editor that understands Unix line endings, like Notepad++ on Windows) and add these lines to the top of the file:
      # fix wildcard certificates
      sed -i '/HOSTSSL=$(openssl/a HOSTSSL=${HOSTSSL/\\*/$HOSTNAME}' /etc/rc.d/rc.nginx
    • Reboot and confirm that the redirects still work properly
       
    • Note that if this functionality is ever added to stock Unraid you'd want to remove those two lines from your go script.

     

    Edited by ljm42
    • Like 1
    Link to comment


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.


    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.