Enable HTTPS mode for localhost
Posted by: Nicolaas (185.216.146.---)
Date: April 23, 2024 11:32AM

Hi - I saw that the Wampserver 3.3.5 adds the option to "Enable HTTPS mode for localhost" but I can't find an explanation of how to do this. Any help is much appreciated! Thanks to Otomatic for keeping Wampserver up-to-date! - Niels

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Otomatic (Moderator)
Date: April 23, 2024 11:39AM

Hi,

Always be a little curious! Right-click -> Help

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Nicolaas (92.118.60.---)
Date: July 15, 2024 04:38PM

Thanks Otomatic!

I embraced curiosity and found the "Wampserver 'automatic' HTTPS mode help". It's a great relief that you made the process 'automatic' as the descriptions online about generating keys and editing conf files look rather daunting.

I'm obviously not yet curious enough as I can't find the menu item

Right-click -> Wamp settings -> Wampserver ready to support https

I also checked under Left-click -> Apache -> Apache settings and anywhere else that seemed relevant but to no avail.

Can you please give me another nudge in the right direction? Enabling HTTPS has become more urgent since Apache 2.4.61 seems to insist on it - for non-secure pages my browser responds with "insecure download blocked".

Thanks for your help - and for keeping WampServer so wonderfully up-to-date and functional!

Niels

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Otomatic (Moderator)
Date: July 15, 2024 06:27PM

Hi,

> I can't find the menu item
> Right-click -> Wamp settings -> Wampserver ready to support https

HTTPS automatic mode has been supported since Wampserver 3.3.2, released on November 22, 2023.
Time to upgrade! We're now at Wampserver 3.3.6!

> since Apache 2.4.61 seems to insist on it - for non-secure pages
> my browser responds with "insecure download blocked.
It's not Apache that insists, but your browser. This can be set in the browser settings by telling it not to force HTTPS mode!

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Nicolaas (176.227.242.---)
Date: July 15, 2024 06:52PM

Hi Otimatic,

I always keep an eye on your excellent page at [wampserver.aviatechno.net] and am quick to install all updates - I've been on WampServer 3.3.5 since the day it came out. I've just updated to 3.3.6, released today, but still can't find the option

Right-click -> Wamp settings -> Wampserver ready to support https.

Under Right-click -> Wamp settings, I see the following options:

Wamp settings
Alias sub-menu
Show Adminer in menu
Show www folder in menu
Allow MySQL (ticked)
Allow MariaDB (ticked)
Wampserver Homepage at startup
Backup hosts file
Allow scrolling of lists on home page

Wampserver browser
(Chrome selected in submenu)

Check Virtualhosts definitions
(submenu doesn't contain the https support option)

Wampserver settings for Apache
(submenu doesn't contain the https support option)

Automatic cleaning
(submenu doesn't contain the https support option)

Caution! Risky! Only for experts
(I'm not an expert but dared to look... the submenu doesn't contain the https support option).

Do I perhaps need to enable some Apache module before the https support option appears under Right-click -> Wamp Settings?

As for the "insecure download blocked" message: that occurs when I use Wampserver with Apache 2.4.61 but not if the Apache version is 2.4.59. I tested in Chrome and Firefox without changing any browser settings. Doesn't that indicate that the error message has to do with the Apache version rather than the browser?

Thanks for your help (and patience)!

Niels

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Otomatic (Moderator)
Date: July 15, 2024 07:52PM

Hi,

You may have installed a previous update 3.3.2 to 3.3.5 by answering Yes to the question :
Quote
Wampserver Update
This update installs "Wampserver HTTPS SSL support
If you already have HTTPS support and to avoid any harmful interaction with "Wampserver HTTPS SSL mode", it is preferable to hide the possibility of installing "Wampserver HTTPS SSL support
Answering Yes only hides it temporarily. You can always unmask later.
Do you want to hide "Wampserver HTTPS SSL support
What to do:
- Quit Wampserver
- Edit the wamp64\wampserver.conf file with a real text editor like Notepad++, not Windows Notepad.
- In the [options] section, replace:
UseWampHttps = "off"
by
UseWampHttps = "on"
Save the modified file
Launch Wampserver.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons



Edited 1 time(s). Last edit at 07/15/2024 08:48PM by Otomatic.

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Nicolaas (---.212.40.89.baremetal.zare.com)
Date: July 16, 2024 10:24AM

Thanks Otomatic - that did the trick! I can now switch my VirtualHosts from http to https. Your automated approach is so much easier than having to do this by hand - thanks for coding it!

I'm left with an Apache issue, introduced in version 2.4.61.

On both http and https VirtualHosts, if I follow a link a a website menu to another php page of the same site, the browser tries to download the php file rather than presenting it as a page. If I use http, this comes with an warming "insecure download blocked"; if I use https, the warning disappears (as the download is no longer insecure) but the browser still wants to download rather than display the page.

I'll look for a solution online - but if you know the easy answer, I'd love to hear it!

Many thanks for your help,

Niels

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Otomatic (Moderator)
Date: July 16, 2024 11:06AM

Hi,

It is often necessary to clear the browser cache, usually by pressing Ctrl-F5. Sometimes this operation has to be repeated.

With Apache 2.4.61, I don't have this problem on all my local sites, with Firefox, Opera, Chrome and Edge.

Of course, as indicated in the automatic HTTPS Wampserver help file, you need to override "Browser warning because self-signed certificate" depending on the browser you're using.

Possibly, see the anti-virus or anti-malware.

To be continued!

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Nicolaas (91.196.222.---)
Date: July 16, 2024 12:06PM

Thanks Otomatic!

Meanwhile I think I'm getting closer to the source of the "download instead of display" issue in Apache 2.4.61. It has to do with whether or not I use the page extension. For instance, if I visit [MyVirtualHost], the browser tries to download, but if I go to [MyVIrtualHost], it displays the page correctly.

I make sure the extensions "'.php" are not needed in my .htaccess using

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php

and checked that rewrite_module is enabled.

This works in Apache 2.4.59 - so there must have been a change in 2.4.61 that bloks it.

The search continues!

Niels

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Otomatic (Moderator)
Date: July 16, 2024 01:36PM

Hi,

We're going to try out a trick we had to do with Apache 2.4.60 (version removed due to regression) but which, in principle, was no longer necessary with Apache 2.4.61.

- Quit Wampserver
- Modify file wamp64\bin\apache2.4.61\conf\httpd.conf (with notepad++, not Windows notepad)
Just after line 464, which is :
    # or added with the Action directive (see below)
add the line :
    AddHandler application/x-httpd-php .php
to obtain:
    # or added with the Action directive (see below)
    AddHandler application/x-httpd-php .php

Save the modified file, then launch Wampserver.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Nicolaas (91.196.222.---)
Date: July 16, 2024 02:12PM

Hi Otomatic,

That solves the problem - thanks so much!

If you have time, could you please explain why this trick is "in principle" no longer needed in 2.4.61 - but why it's still required for me? If my .htaccess is wrong, I'd better correct that...

And do you think a next version of Apache will make the "trick" unnecessary or will I need to edit the relevant httpd.conf file each time there is an Apache update?

Sorry - I'm aware I'm straying way off the original subect of this thread...

Your help is hugely appreciated!

Niels

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Otomatic (Moderator)
Date: July 16, 2024 03:40PM

Hi,

>If you have time, could you please explain why this trick is "in principle" no longer needed in 2.4.61
> - but why it's still required for me? If my .htaccess is wrong, I'd better correct that...
Between the various evolutions, modifications and fixes of Apache 2.4.61 there is in the changelog about the correction of vulnerabilities :
Quote
Changelog Apache 2.4.61
SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org)
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.

Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'AddHandler' after this fix.
The note may seem nebulous to the uninitiated, but it indicates that in some cases, AddType is not enough and that AddHandler is required. My own note is that the problem only arises with PHP as an Apache module and not with FCGI mode, since it already uses AddHandler.

> And do you think a next version of Apache will make the "trick" unnecessary
> or will I need to edit the relevant httpd.conf file each time there is an Apache update?
Don't worry, future versions of Apache will come with the "trick" built in winking smiley

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: Enable HTTPS mode for localhost
Posted by: Nicolaas (---.175.37.89.baremetal.zare.com)
Date: July 16, 2024 03:52PM

Hi Otomatic,

That makes things a lot clearer, thanks. I had seen the Apache changelog but it's written in a language of which I understand only the very basics...

I'm happy that your "trick" will be included in future Apache versions!

Thanks and enjoy your day,

Niels

Options: ReplyQuote


Sorry, only registered users may post in this forum.