Topic: How do you use mod_rewrite and mod_security correctly?

[ted.byers]

I have searched, using Google, but the signal to noise ratio thus far is terrible.

Maybe I am a bit dense, but, I have yet to figure out how to use mod_rewrite to ensure that all requests arriving at the server using http on ort 80 are redirected to use https on port 443. And, to make things interesting, I am setting up several virtual servers based on domain name, so I need ensure that a request coming in on http://www.example1.com gets redirected to https://www.example1.com and not https://www.example2.com (it may well be that being concerned about that means I don't fully understand how this module works).

The other thing I am interested in is how one can protect against things like SQL injection attacks. I read, recently, that this is possible, but none of the material I have found so far explains how to do it. Is there a general guide available somewhere regarding best practices for hardening a website making judicious use of mod_rewrite and mod_security (or any other module that is trustworthy)>

Thanks

Ted

[James Blond]

Inside the vhost of example1

[ted.byers]

Thanks James.

I tried that, and it worked.

Do I have to add it to all virtual hosts, or can I do it globally (e.g. by, on Ubuntu, putting those lines in apache2.conf instead of each virtual host)?

Do these impinge on use of mod_security or on configuring forward and reverse proxies?

Thanks

Ted

[James Blond]

Well putting it in the global config would cause any vhost to use only SSL. If that is what you want than sure. The forcement of SSL does nothing to mod security.
Well if your forward and or reverse proxies do not run via https:// I recommend to put it in each vhost.
You can use mod macro that would make it much easier to maintain most of your vhosts.

How to use mod security other may answer. I don't use it at all.