Apache2 on Debian ignores HTTPS variable

September 15th, 2011

After a couple of hours of hair pulling over a few lines of rewrite instructions for apache, my search for inaccurate regular expressions or logic ended with this bug report in the debian community. I’m sure this bug is addressed in some upstream distributions, and I’m also sure it’s not a critical issue, because there are other ways to accomplish the same task. Nonetheless, if you are using debian on your server, and seeing strange logical errors (probably infinite loops that shouldn’t exist, or failure to evaluate to true when you would expect), check to see if you are using the apache’s HTTPS variable.

If you are checking that HTTPS is off, your logic will be fine, as that is the default value for the variable (and the only value for the variable on some debian servers). However, if you are checking that HTTPS is on, your logic will fail, as the HTTPS variable is never set. I was rewriting to control shifting from SSL to non-SSL, and in some cases this caused infinite loops, in others, code simply failed to ever evaluate to true.

The solution is to use the SERVER_PORT variable instead. I have always considered this to be less appropriate, because if someone decides to listen for SSL over a non-standard port HTTPS still works but a SERVER_PORT=443 check will fail. Keeping in mind that your server may (although it’s unlikely) require a unique port, try changing your conditions as follows:

# RewriteCond %{HTTPS} off   ## Always true
# RewriteCond %{HTTPS} on   ## Never true
RewriteCond %{SERVER_PORT} ^443$   ## Evaluates as expected
RewriteCond %{SERVER_PORT} !^443$   ## Evaluates as expected

Nicholas Whittier

Nicholas is a developer who loves to figure out how things work. Whether it is an errant bash script, missing kernel drivers, CSS conflicts, a JRE incompatibility, an unsolved Rubik's cube, or anything in between, he wants to learn why it is broken and how to fix it. Additionally, Nicholas fancies GNU/Linux system administration, database administration, Java development, and web development. 

One Response to “Apache2 on Debian ignores HTTPS variable”

  1. Wow! Thank you! I permanently needed to write on my site something like that. Can I implement a fragment of your post to my site?

Leave a Reply