Converting a apache conf to a openlitespeed conf file - virtualhost

i have this Apache conf file below, but after reading alot, i simply have no clue how to make this to a openlitespeed conf file.
It uses reverse proxy, as i want to have a react site running.
Im using aaPanel, it does not support nodejs out of the box, but i now got it running, just cant connect to it (get a 403 forbidden page), but i think i "just" need this file converted.
Looking over documents, i fint no similarities to go out from, unless someone has a link for where i can read apache -> openlitesped so i can actually understand how to rewrite these lines.
<VirtualHost *:443>
ServerAdmin admin#site_name_dk
DocumentRoot "/www/wwwroot/mysite.dk"
ServerName 443.site_name_dk
ServerAlias mysite.dk
#errorDocument 404 /404.html
ErrorLog "/www/wwwlogs/site_name_dk-error_log"
CustomLog "/www/wwwlogs/site_name_dk-access_log" combined
#SSL
SSLEngine On
SSLCertificateFile /www/server/panel/vhost/cert/site_name_dk/fullchain.pem
SSLCertificateKeyFile /www/server/panel/vhost/cert/site_name_dk/privkey.pem
SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
#DENY FILES
<Files ~ (\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md|package.json|package-lock.json|\.env)$>
Order allow,deny
Deny from all
</Files>
#SSL
ProxyPass /.well-known/ !
# HTTP reverse proxy related settings begin >>>
<IfModule mod_proxy.c>
ProxyRequests Off
SSLProxyEngine on
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
</IfModule>
# End of HTTP reverse proxy related settings <<<
</VirtualHost>
There is also one for port 80, but only change is the port id, so that no problem.
So any help just getting started even would be appricitated.

Related

Apache reverse proxy error on firefox : SSL_ERROR_RX_RECORD_TOO_LONG

I'm stuck with my Apache config
Situation
I have a Node chat web app and a phpmyadmin running on the same debian VPS server. Node runs on :3000 and phpmyadmin on :443.
The server base url on :443 is currently displaying phpmyadmin login page and the chat app can be accessed on IP:3000 (https)
Each have their own SSL cert and https is working without issues on both of them separately
Goal
What I'm trying to do is setup an Apache reverse proxy to forward requests from a a clean url (like chat.domain.com) to my Node app while keeping phpmyadmin on it's own dedicated subdomain (vps.domain.com).
like so :
internet (chat.domain.com on :443) -> reverse proxy -> node app running on :3000
internet (vps.domain.com on :443) -> reverse proxy -> phpmyadmin
Issue
Redirection does not work at all.
Firefox shows an error page with SSL_ERROR_RX_RECORD_TOO_LONG (ERR_SSL_PROTOCOL_ERROR on Chrome). As far as I understand it is telling me that I can't redirect to a service running on a different port than :443
I need secure https for both of my services (phpmadmin and chat) but can only run one of them on :443 since one is Apache and the other is Node. They each have their own routing system.
What I've considered
I'm not sure if what I'm trying to do is possible with Apache and this setup. I'd like to run my main app on :443 but then PMA would have to be moved to another port and. Alternatively I could run several servers for cleaner separation of services. I could also use Docker containers, but I don't think this should be necessary here.
Not sure which solution is the most appropriate. I just wanted to do some basic redirections.
Setup config :
Including relevant information about my config in this section.
Apache version : Apache/2.4.53 (Debian)
rewrite and proxy mods are enabled
apachectl configtest -> Syntax OK
vHosts :
default http -> https redirection
# 000-default.conf
VirtualHost *:80>
ServerName default.domain.me
Redirect / https://localhost:443
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
reverse proxy vhost
# reverse_proxy.conf
<VirtualHost chat.domain.me:443>
ServerName rproxy.domain.me
# ProxyPreserveHost On
ProxyRequests Off
# chat
ProxyPass / https://localhost:3000/
ProxyPassReverse / https://localhost:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
PMA vhost
# phpmyadmin.conf
<VirtualHost _default_:443>
ServerName phpmyadmin.domain.me
DocumentRoot /usr/share/phpmyadmin
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vps.domain.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vps.domain.me/privkey.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
# Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
Require all granted
# limit libapache2-mod-php to files and directories necessary by pma
<IfModule mod_php7.c>
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
</IfModule>
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
ErrorLog ${APACHE_LOG_DIR}/phpmyadmin/error.log
CustomLog ${APACHE_LOG_DIR}/phpmyadmin/access.log combined
</VirtualHost>
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite # don't know if secret. didn't include.
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Let me give you some possible solutions.
1)Changing the virtual host tag, ie, from <VirtualHost chat.domain.me:443> to <VirtualHost _default_:443>
2)setting the ports.conf file as follows
Listen 80
Listen 443 https
execute a2ensite default-ssl
Finally let me give you one of example that I have
ServerName abc.com
ServerAdmin webmaster#abc.com
<Proxy *>
Require all granted
</Proxy>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8181/
ProxyPassReverse / http://127.0.0.1:8181/
ErrorLog ${APACHE_LOG_DIR}/abc.com.error.log
CustomLog ${APACHE_LOG_DIR}/abc.com.access.log combined
SSLCertificateFile /etc/letsencrypt/live/abc.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/abc.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Installed SSL on Apache server, page not responding

My question is about SSL installation. I purchased a new SSL for a website that's hosted on a Ubuntu 16.04 box with Apache 2.4.29. I was able to get this installed and I'm not getting any errors but my page is not redirecting. I've followed some guides (DigitalOcean) but feel as I'm missing something.
I have checked the sites-available files (000-default.conf, default-ssl.conf & example.com.conf) and I'm not seeing anything that's catching my eye, but I feel I migtht be missing something. I've checked the status of Apache and I'm not getting any errors and I've restarted the services several times to no avail.
Here's a general breakdown of what I have. Am I missing something? Is additional information required for setting this up?
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
Redirect "/" "https://example.com/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
SSLCertificateFile /root/example.com.crt
SSLCertificateKeyFile /root/www.example.com.key
SSLCACertificateFile /root/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>4
mydomain.com.conf
<VirtualHost *:443>
ServerAdmin admin#somedomain.com
ServerName mydomain.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/html
Redirect permanent / https://example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Here is my attempt at a combined configuration. Note that I do not have your setup to test it, but I have used similar configurations on production servers.
First define your port 80 VirtualHost (000-default.conf in your setup):
Listen 80
<VirtualHost *:80>
Redirect "/" "https://example.com/"
LogLevel debug
ErrorLog "${APACHE_LOG_DIR}/80_error.log"
CustomLog "${APACHE_LOG_DIR}/80_access.log" combined
</VirtualHost>
No need for a DocumentRoot since you redirect everything.
Then comment out default-ssl.conf. This file is an example of what you could do to setup an SSL enabled VirtualHost. If you use that file AND another VirtualHost on port 443, this one will always be used, since Apache uses the first VirtualHost it finds that matches the client's request (here port 443).
Another point, VirtualHost are not "added" to one another. Each is independent of the others and must contain a complete configuration. This means you cannot put some configuration in on VirtualHost on port 443, and some in another and expect it to work.
Then create your example.com.conf file:
Listen 443
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin#example.com
SSLCertificateFile "/root/example.com.crt"
SSLCertificateKeyFile "/root/example.com.key"
SSLCACertificateFile "/root/intermediate.crt"
LogLevel debug
ErrorLog "logs/443_error_log"
CustomLog "logs/443_access_log" combined
DocumentRoot "/var/www/example.com/html"
DirectoryIndex index.html
<Directory "/var/www/example.com/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Some notes:
I put the LogLevel at debug, so you can troubleshoot, but once it is working, change it to error. Otherwise you will have huge log files quickly!
For the same reason, I split the logs for port 80 and port 443. Each VirtualHost should have its own logs.
The certificate files must match the domain name. Not the filename (although it makes it easier to match), but the certificate itself.
If you want your certificate to cover example.com and www.example.com, both names must be added to the alternate names in the certificate.
I do not understand why you have Redirect permanent / https://example.com in your configuration. You are already in the https, port 443 VirtualHost.
The options based on <FilesMatch> directives in the default ssl configuration can be added if you want.
This setup will ensure that all http requests will be redirected to https://example.com. Then it will use the :443 VirtualHost, use the proper certificate for that domain and serve the content from the DocumentRoot directory.

Hide back-end server address using Apache configuration

I'm trying to hide my Kallithea back-end server (which is useful to manage Git/Mercurial repositories) address by using an Apache rule. I have a URL redirect from https://sub.domain1.com/gitrepos to https://sub.domain2.com/.
Atm, when I try to access https://sub.domain1.com/gitrepos/path/to/repo, it redirects to https://sub.domain2.com/path/to/repo
I'm looking for a way to hide the second server address. I'd like to access to https://sub.domain1.com/gitrepos/path/to/repo without being explicitely redirected to https://sub.domain2.com/path/to/repo
I did some tries with Apache configuration but it is not working and I'm not sure if it is something that I can handle on the back-end server side or if this is something that can be handled on the server that actually redirects.
Here is my current configuration:
<VirtualHost *:80>
ServerName git-domain2.com
ServerAlias git-domain2
Redirect permanent / https://git-domain2.com/
</VirtualHost>
<VirtualHost *:443>
ServerName git-domain2.com
ServerAlias git-domain2
<Proxy *>
Require all granted
</Proxy>
ProxyPreserveHost On
ProxyPass /gitrepos http://domain2.com:5000/ connectiontimeout=20 timeout=300
ProxyPassReverse /gitrepos http://domain2.com:5000/
#kallithea instance
ProxyPass / http://domain2.com:5000/ connectiontimeout=20 timeout=300
ProxyPassReverse / http://domain2.com:5000/
#to enable https use line below
SetEnvIf X-Url-Scheme https HTTPS=1
#LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/domain2.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.com.key
</VirtualHost>
Thanks for any help.

ProxyPass or ProxyPassReverse redirect is adding my port to traffic

I have a virtual host in Apache that is giving me the fits. I am trying to point a secure external URL to a Maximo Java Virtual machine within our network via Apache.
Here is my virtual host from the conf file.
<VirtualHost 5.5.5.5:443>
ServerName maximolink.mydomain.com
SSLProxyEngine On
SSLEngine on
# Turn on SSL
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
# Path to DigiCert Certificate
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/certs/DigiCertCA.crt
# Path to gafoc certificate
SSLCertificateFile /etc/httpd/conf/ssl.crt/certs/star_gafoc_com.crt
# Path to SSL key generated during creation of CSR
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/maximolink.mydomain.com.key
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
EnableSendFile On
EnableMMAP On
RewriteEngine On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Turn on the proxy
ProxyPass / https://internalmaximoserver.mydomain.com:9451/
ProxyPassReverse / https://internalmaximoserver.mydomain.com:9451/
CustomLog /var/log/httpd/ssl-access.log combined
ErrorLog /var/log/httpd/ssl-error.log
<Location />
#ProxyPassReverse /
Order allow,deny
allow from all
</Location>
</VirtualHost>
The results are, I can go to When I go to :
https://maximolink.mydomain.com/maximo/
Some traffic begins to pass between the servers (images, html), but eventually the file paths begin to request and pass as
https://maximolink.mydomain.com:9451/maximo/-- I am not sure how to stop the 9451 from being attached to the URL during the passing of the traffic.
Okay I had to adjust the conf file by having it listen on 9451 and set a named virtual host. Here is the updated code:
`
Listen 9451
NameVirtualHost 5.5.5.5:9451
<VirtualHost 5.5.5.5:443 5.5.5.5:9451>
ServerName maximolink.mydomain.com
SSLProxyEngine On
SSLEngine on
# Turn on SSL
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
# Path to DigiCert Certificate
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/certs/DigiCertCA.crt
# Path to gafoc certificate
SSLCertificateFile /etc/httpd/conf/ssl.crt/certs/star_gafoc_com.crt
# Path to SSL key generated during creation of CSR
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/maximolink.mydomain.com.key
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
EnableSendFile On
EnableMMAP On
RewriteEngine On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Turn on the proxy
ProxyPass / https://internalmaximoserver.mydomain.com:9451/
CustomLog /var/log/httpd/ssl-access.log combined
ErrorLog /var/log/httpd/ssl-error.log
<Location />
ProxyPassReverse /
Order allow,deny
allow from all
</Location>
</VirtualHost>
`
This seems to work. Good Luck!

Apache 2.2 SSLCADNRequestFile Option

I'm configuring my Apache server on RHEL5 with httpd 2.2.3. Users authenticate using a smartcard with several certificates, but we want to limit the choices to browser displays to a specific one. We've figured out how to do this by using SSLCADNRequestFile set to a .pem containing the intermediate chain of that specific type of certificate.
The problem is that we have multiple name-based virtualhosts defined on a single IP. It appears the Apache sends the response to the browser on which certificates it accepts based on the first vhost on that IP, even if the servername does not match. So unless I define SSLCADNRequestFile in the first vhost or at the server level, I cannot limit the certificate choices. Additionally, every other vhost is impacted by this setting.
Is there a way to use a name-based vhost and define the SSLCADNRequestFile per vhost? My configuration is a little different, so there could be other issues at play, below is roughly my config.
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/private.key
SSLCACertificateFile /etc/pki/tls/certs/root-certs.pem
SSLCADNRequestFile conf.d/certs-email-only.pem
SSLVerifyClient none
SSLVerifyDepth 2
SSLOptions +ExportCertData
DocumentRoot /var/www/mysite
ServerName www.mysite.com
DirectoryIndex main.html
ProxyPass /api/login ajp://localhost:8009/backend/login
ProxyPassReverse /api/login ajp://localhost:8009/backend/login
Alias /login /var/www/login
<Directory /var/www/login>
DirectoryIndex login.html
</Directory>
ProxyPass /logout ajp://localhost:8009/backend/logout
ProxyPassReverse /logout ajp://localhost:8009/backend/logout
<Location /api>
SSLVerifyClient require
ProxyPass ajp://localhost:8009/backend
ProxyPassReverse ajp://localhost:8009/backend
ProxyPassReverseCookiePath /backend /api
ProxyPassReverseCookieDomain localhost www.mysite.com
</Location>
</VirtualHost>
<VirtualHost *:443>
# VirtualHost impacted by the SSLCADNRequestFile in the above vhost
</VirtualHost>