Forum

Allow non-default ports for option 'RequireTLS'

Hiroki Hashimoto
21 April 2018, 20:00
We are very content running Hiawatha on every single node as a reverse proxy for locally hosted instances of software such as 'Monit', 'Netdata', and 'ARA records Ansible'. However, as Hiawatha runs on each single node to provide isolated monitoring/analysis services per node, we can't run it on regular HTTP/HTTPS ports such as 80/443 as it might conflict with a legitimate webserver running on an individual node if that happened to be the role assigned to that particular node. For this reason we run Hiawatha off of a non-default port in enforced TLS mode.

RequireTLS does not deal with non-default ports other then 80/443, as far as i've understood correctly. Would it be possible to allow RequireTLS to work with non-default ports as well. Either by default or by adding a configuration directive to specify which ports it should force HTTPS on.

Thank you for all your work on this great tiny and secure webserver !

Hiroki
Hugo Leisink
21 April 2018, 20:45
No, RequireTLS always redirects to the default HTTPS port. Switching to another port means that the client will make a new connection, which means another binding will be used. It's a bit of a hustle to determine which binding that will be. For those exceptional situations, you can use an UrlToolkit rule instead:
UrlToolkit {
ToolkitID = to_https
UseTLS Return
Match ^/(.*) Redirect https://www.domain.tld:<port>/$1
}
Hiroki Hashimoto
21 April 2018, 23:34
Thank you for the suggestion ! I've tried it out, however to no avail. I've tried adjusting certain configuration directives such as 'RequiredCA', 'RequiredBinding', 'RequireTLS', just to see if they might be influencing the UrlToolKit rules. The behaviour however was the same: when accessing 'http://www.domain.tld:<port>/' it does not redirect me to 'https://www.domain.tld:<port>/'. Instead, my browsers sits there unable to view the site. No entry in the Hiawatha access logs appear either. However, while having a tcpdump running in the background, I do see the HTTP request coming in over the wire.

See the following two main configuration file snippets (couldn't paste them here in a code block as it was marked spam) that are in play, perhaps i've made an error somewhere ?

/etc/hiawatha_sal/hiawatha.conf -> https://ptpb.pw/APo4Cbh8LdCG_N-ylm6GqUxYqEnW/bash
/etc/hiawatha_sal/virtual-hosts/node.subnetwork.branch.domain.tld-444 -> https://ptpb.pw/AFYBhx7ymaCAWq0LsJdL4XgskF2o/bash
Hugo Leisink
25 April 2018, 13:58
I tested the UrlToolkit I provided. It works as intended. Did you set 'UseToolkit = to_https' in your (virtual) host configuration?
Hiroki Hashimoto
25 April 2018, 14:01
Hi Hugo, yes I did, see 'https://ptpb.pw/AFYBhx7ymaCAWq0LsJdL4XgskF2o/bash#L-64'. (And also line #9)
Hugo Leisink
25 April 2018, 14:11
The UrlToolkit works as intended, so there must be some other cause. What exactly goes wrong?
This topic has been closed.