Apache virtual host redirect issue [duplicate] - apache

This question already has answers here:
Is it possible to have SSL certificate for IP address, not domain name? [closed]
(7 answers)
Closed 10 months ago.
I'm trying to host a site on my server(vultr) The site is live and I have a domain name from Namecheap pointed to it. I have used Let's Encrypt and have https for www.example.com and example.com.
I also have it set so when you enter the ip like: http://111.222.33.444 it directs to the secured domain name. So everything up to this point works just as I expected, but then I encounter this problem: if someone enters https:///111.222.33.444 the untrusted website warning page comes up. I want this to also just direct to https://example.com.
I have .conf files for http and https. I probably also have too much rubbish in these files, so probably need to write these more efficiently.
home.conf:
<VirtualHost *:80>
ServerAdmin admin#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/home
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerName 111.222.33.444
ServerAlias 111.222.33.444
UseCanonicalName Off
Redirect "/" "https://www.example.com/"
#ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
home-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/home
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
ServerName 111.222.33.444
ServerAlias 111.222.33.444
UseCanonicalName Off
Redirect "/" "https://www.example.com"
ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

This is nothing to do with Apache configuration; an SSL certificate has to be valid for the URL you request. From the point of view of the browser, following a redirect response requires exactly the same trust in the certificate as rendering some content from the response.
From a security point of view, imagine I intercept your wi-fi signal and respond to a request for https://www.facebook.com with a redirect to https://www.my-evil-hacking-site.com (or something less obvious). If the browser follows that redirect without checking the certificate I present, I've successfully defeated the security provided by the certficate validation.
From a technical point of view, note that a TLS (formerly known as SSL) connection is negotiated before any HTTP request is made at all, and the redirect you're trying to issue is an HTTP response. There actually had to be an extension to TLS to allow the requested hostname to be transmitted as part of that negotiation, to allow for multiple virtual hosts on one IP address. If the browser rejects the certificate the server offers at this stage, it will never send an HTTP request for you to respond to.
So, as far as the browser is concerned, you need to present a certificate which is valid for https:///111.222.33.444. See: Is it possible to have SSL certificate for IP address, not domain name? to which the answer is "Yes, but it's rare". Also note that Let's Encrypt do not issue such certificates.
The reason it's rare is that there's generally no reason for anyone to try to browse to https:///111.222.33.444 in the first place. Redirects are mostly just a convenience to the user, and certificate checks are about protecting the user, not protecting the server; so just leaving it as a certificate error is generally fine.

Related

Certbot certificate not working even though it is valid

I'm using certbot to set up an ssl certificate on a domain (mydigitalbalance.com). I am changing the domain from a previous staging domain that I was using in order to do testing. In order to make sure there were no conflicts, I followed certbot's apache2 instructions and completely deleted all previous certificates that were on the server as well as certbot itself.
I re-installed certbot following the instructions, added two certificates for the naked domain and for www, and re-started apache.
However as you can see if you go to the URL, it is still showing as an insecure website.
I wanted to take a closer look at the certificate so in chrome I clicked on "Not Secure" in the url bar, and clicked on Certificate.
It says on the first dropdown that the certificate is invalid:
However when you click into the certificate itself, it correctly says it's a valid cert and that it is not expired and was issued by Lets Encrypt:
What is happening here? how do I fix it?
I completely commented out all the default .conf information on my setup, and the only conf is for mydigitalbalance.com, here is my mydigitalbalance.conf:
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mydigitalbalance.com
ServerAlias www.mydigitalbalance.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydigitalbalance.com [OR]
RewriteCond %{SERVER_NAME} =mydigitalbalance.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
and here is the mydigitalbalance-le-ssl.conf that was automatically generated when i restarted apache:
GNU nano 4.8 mydigitalbalance-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName mydigitalbalance.com
ServerAlias www.mydigitalbalance.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.mydigitalbalance.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydigitalbalance.com/privkey.pem
</VirtualHost>
</IfModule>
Is this a propagation issue?

Redirecting http to https on raspberry pi

I have a webserver on my raspberry pi, my url I bought on strato.de and my dyndns is on noip.com. The redirecting from my url to the raspberry pi is fine and works. Now I wanted to use automatically redirection from http-request to https. Therefore I installed letsencrypt and create a ssl certificate file. Also I enabled ssl on strato.de for my url. I tested it with https://www.myurl.de/ and it works but if I use http://www.myurl.de I get this error:
Network Error (tcp_error)
A communication error occurred: "Connection refused"
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
Transaction ID: b5151b4415351db8-000000008e3c905d-000000005c177c1e
For assistance, contact your network support team.
Your request was categorized by Blue Coat Web Filter as 'Dynamic DNS Host'.
If you wish to question or dispute this result, please click here.
It sounds to me as something in the config-files are wrong. Therefore is here my code of the 000-default.conf and default-ssl.conf file.
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</IfModule>
</VirtualHost>
default-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/<noip-dyndns-name>.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<noip-dyndns-name>.com/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Does someone see my mistake I made?

Installed SSL on Apache server, page not responding

My question is about SSL installation. I purchased a new SSL for a website that's hosted on a Ubuntu 16.04 box with Apache 2.4.29. I was able to get this installed and I'm not getting any errors but my page is not redirecting. I've followed some guides (DigitalOcean) but feel as I'm missing something.
I have checked the sites-available files (000-default.conf, default-ssl.conf & example.com.conf) and I'm not seeing anything that's catching my eye, but I feel I migtht be missing something. I've checked the status of Apache and I'm not getting any errors and I've restarted the services several times to no avail.
Here's a general breakdown of what I have. Am I missing something? Is additional information required for setting this up?
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
Redirect "/" "https://example.com/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
SSLCertificateFile /root/example.com.crt
SSLCertificateKeyFile /root/www.example.com.key
SSLCACertificateFile /root/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>4
mydomain.com.conf
<VirtualHost *:443>
ServerAdmin admin#somedomain.com
ServerName mydomain.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/html
Redirect permanent / https://example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Here is my attempt at a combined configuration. Note that I do not have your setup to test it, but I have used similar configurations on production servers.
First define your port 80 VirtualHost (000-default.conf in your setup):
Listen 80
<VirtualHost *:80>
Redirect "/" "https://example.com/"
LogLevel debug
ErrorLog "${APACHE_LOG_DIR}/80_error.log"
CustomLog "${APACHE_LOG_DIR}/80_access.log" combined
</VirtualHost>
No need for a DocumentRoot since you redirect everything.
Then comment out default-ssl.conf. This file is an example of what you could do to setup an SSL enabled VirtualHost. If you use that file AND another VirtualHost on port 443, this one will always be used, since Apache uses the first VirtualHost it finds that matches the client's request (here port 443).
Another point, VirtualHost are not "added" to one another. Each is independent of the others and must contain a complete configuration. This means you cannot put some configuration in on VirtualHost on port 443, and some in another and expect it to work.
Then create your example.com.conf file:
Listen 443
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin#example.com
SSLCertificateFile "/root/example.com.crt"
SSLCertificateKeyFile "/root/example.com.key"
SSLCACertificateFile "/root/intermediate.crt"
LogLevel debug
ErrorLog "logs/443_error_log"
CustomLog "logs/443_access_log" combined
DocumentRoot "/var/www/example.com/html"
DirectoryIndex index.html
<Directory "/var/www/example.com/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Some notes:
I put the LogLevel at debug, so you can troubleshoot, but once it is working, change it to error. Otherwise you will have huge log files quickly!
For the same reason, I split the logs for port 80 and port 443. Each VirtualHost should have its own logs.
The certificate files must match the domain name. Not the filename (although it makes it easier to match), but the certificate itself.
If you want your certificate to cover example.com and www.example.com, both names must be added to the alternate names in the certificate.
I do not understand why you have Redirect permanent / https://example.com in your configuration. You are already in the https, port 443 VirtualHost.
The options based on <FilesMatch> directives in the default ssl configuration can be added if you want.
This setup will ensure that all http requests will be redirected to https://example.com. Then it will use the :443 VirtualHost, use the proper certificate for that domain and serve the content from the DocumentRoot directory.

How disable direct ip access in Apache

I have a website with CloudFlare protection, seems good at too, but if you enter the original IP adress of my server you can enter normally.
I'm using Apache (XAMPP) and SSL (https://)
I want something similar when you enter from the IP address with CloudFlare, which throws error 1003
Edit or create a default vhost and put this inside:
<VirtualHost *:80>
ServerName xxx.xxx.xxx.xxx
Redirect 403 /
DocumentRoot /var/www/html
</VirtualHost>
xxx.xxx.xxx.xxx is your server ip address
After that restart your apache
sudo a2ensite your-vhost.conf
sudo systemctl restart apache2
Hope that helps
You can verify if the domain received in the request matches your site domain. If not, force a redirection to the user. Like so:
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.example.com
RewriteRule (.*) https://www.example.com$1 [R=301,L]
So IP accesses will be forced back to the domain name.
Obviously, you could return anything, this is just one method I see often.
Under the ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
i just copied my 000-default-ssl.conf as disable-ip.ssl.conf and put below the content
cd /etc/apache2/sites-available
cp 000-default-ssl.conf disable-ip.ssl.conf
content of disable-ip.ssl.conf vhost file
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root#localhost
ServerName localhost
ServerAlias XXX.XXX.XX.XX # here write ip adresss of your web site
UseCanonicalName Off
Redirect 403 /
ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
then
a2ensite disable-ip.ssl.conf
service apache2 restart

Apache / Letsencrypt - redirecting to https not working on subdomains

I have a Ubuntu 16.04 VPS. I use Letsencrypt for my ssl certificates, when creating or creating a certificate, they ask if you want easy or secure access. Secure means it will redirect to https no matter what.
This works on the homepage, but it doesn't work on the subdomains. I am not redirected to https, and I just see my index.html whats just the apache default page.
So how do I fix this?
My Virtualhost:
<VirtualHost *:80>
ServerName school.luukwuijster.eu
Redirect / https://school.luukwuijster.eu
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/school.luukwuijster.eu/public/
<Directory /var/www/html/school.luukwuijster.eu/public/>
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =school.luukwuijster.eu
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
le-ssl:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName school.luukwuijster.eu
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/school.luukwuijster.eu/public/
<Directory /var/www/html/school.luukwuijster.eu/public/>
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =school.luukwuijster.eu
# Some rewrite rules in this file were were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/luukwuijster.eu-0003/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/luukwuijster.eu-0003/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
For some reason its just not redirecting.
When I go to http://luukwuijster.eu I am redirected to https://luukwuijster.eu
So that works fine, but when I go to http://school.luukwuijster.eu I am not redirected and get to see the same page as on https://luukwuijster.eu
Ofcourse when I go to https://school.luukwuijster.eu i am not redirected, but I do see the right page.
How do I solve this problem?
Try to change line 3 from Redirect / https://school.luukwuijster.eu to RedirectPermanent / https://school.luukwuijster.eu/.
BTW currently your SSL cert is only valid for api.luukwuijster.eu. You should add school.luukwuijster.eu and all other domains you want to secure to your letsencrypt config.