choose the right client certificate - https - ssl related - apache

I have this situation
Apache Web Server configured for https connections and some vhosts. All of them is well running, no problems at all. Ubuntu 20.04 LTS
One of this web sites, let's call alfa.com, sends via Soap some messages to a remote server (let's call beta.com)
alfa.com expose a crt with let'sencrypt. Every users and check is ok, no problems with the certificate.
This same server, beta.com, sends to alfa.com responses and messages BUT beta.com require a client certificate (exposed by alfa.com) which MUST be one they gave to me
The cert required by beta.com could not be used as main cert for alfa.com cause it has an untrusted CA and I cannot have my website expose a "this site is insecure"...
How can I use the Let'sEncrypt cert to clients but StrangeCert to beta.com?
Any suggestion is helpful, except for asking beta.com to give another cert, it is impossible.
Apache proxy? Iptables? What else?

I found the solution!
Using iptables and NAT chain, I'm able to redirect the beta.com SSL request in another virtualhost section of Apache, letting untouched the "other world" side.
Each client on the web reaches alfa.com:443 and do the normal, perfect, handshake with the Let'sEncrypt certs.
Vhost config
<VirtualHost *:443>
ServerName alfa.com
ServerAlias www.alfa.com
....
SSLCertificateFile /var/www/clients/client1/ssl/sitecert-le.crt
SSLCertificateKeyFile /var/www/clients/client1/ssl/sitecert-le.key
....
</VirtualHost>
Only the source net corresponding to beta.com (say 1.2.3.0/24) pass trought NAT chain in iptables and go to alfa.com:8080
<VirtualHost *:8080>
ServerName alfa.com
ServerAlias www.alfa.com
....
SSLCertificateFile /var/www/clients/client1/ssl/beta.com.crt
SSLCertificateKeyFile /var/www/clients/client1/ssl/beta.com.key
....
</VirtualHost>
This is the relevant iptables commands
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.0/20 --dport 443 -j DNAT --to-destination 192.168.1.10:8080
iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.10 --dport 8080 -j SNAT --to-source 192.168.1.10
Of course, to allow only beta.com net to see alfa.com:8080 we can deny access to each other
iptables -A INPUT -s ! 1.2.3.0/20 -p tcp --destination-port 8080 -j DROP

Related

hiding name and port from url for multiple tomcat websites

I'm hosting multiple websites on the same server with multiple tomcat running.
So I want to route
www.example.com to localhost:80/example
and also to route
test.example.com to localhost:8082/example
I heard about a lot of scenarios: mod_jk, mod_proxy using apache http or may be nginx
but I don't know which one is the best and how to do it.
Could you please help me ?
Next step will be to use HTTPS instead of HTTP.
Thanks
The easiest way is to do it with iptables port natting.
(If your application is listening on interface eth0)
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8082
But I prefere using nginx, Apache or HAproxy. there's a lot of tutorials on the net on how to setup a reverse proxy.

Apache 2.4 ReverseProxy to Internal CentOS 7 GitLab Server

I have been trying to setup Apache as a ReverseProxy to an internal Gitlab server with no success.
We are running multiple virtual servers, each server having a different application. We have an existing server with Apache 2.4 installed on CentOS 6.6 and working, and I just recently stood up a new server with GitLab 8.12 on CentOS 7. I have made the following change in /etc/gitlab/gitlab.rb
external_url 'http://mypublic.domain.com:80'
I have added the following rules in iptables
-A INPUT -p tcp -m state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state NEW -m tcp --dport 80 -j ACCEPT
I have verified that we can ssh in using http://mypublic.domain.com:22
I have tried every setup I could find online to set the VirtualHost in httpd.conf, but nothing is working correctly. Below are a couple of the more recent, simple examples I have found. Does anyone have any ideas?
<VirtualHost 192.168.1.000:80>
ServerName mypublic.domain.com
RewriteEngine On
ProxyPass / http://192.168.1.999/
ProxyPassReverse / http://192.168.1.999/
</VirtualHost>
####
<VirtualHost 192.168.1.000:80>
ServerName mypublic.domain.com
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Location />
Require all granted
ProxyPass http://192.168.1.999:80
ProxyPassReverse http://192.168.1.999:80
</Location>
</VirtualHost>
####
Apache Server: 192.168.1.000
GitLab Server: 192.168.1.999
Any help would be much appreciated, thanks!

GET request with HTTP to port 80 results in connection reset or no response from server

I have a strange issue that the SSL connection for port 443 on my server is working fine, but when I look for the HTTP variant of my server it gives me the 'Site can't be reached connection was reset' error.
I have the following rules in my iptables:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
The apache access_log does show an incomming request when requesting the site via HTTP, and the error_log does not show any errors
In my httpd.conf file I have:
Listen 80
My intention was to let all traffic go via HTTPS, so I have
<VirtualHost *:80>
ServerName www.example.com
Redirect / https://www.example.com
</VirtualHost>
However, it does not matter if I place this last block here or comment it - the server is not reachable via HTTP. I am on CentOS 6.7.
Edit:
When I do curl http://example.com, it returns cURL (52) Empty reply from server
However, when I check the apache http access_log for that cURL request, it returns
xxx.xxx.xxx.xx - - [02/Jun/2016:22:46:06 +0200] "GET / HTTP/1.1" 302 314 "-"
Which indicates that I should have received a HTTP response status 302 Found code as intended. However, I received nothing.
Any help or suggestions are welcome
Solved it. Apparantly there was another firewall on a higher level than the one on my server that was causing the problems.

remove port number 8069 from the url

I am using centos 6. I want to remove the port from url
that is,I want to use http://www.website.com/ insted of http://www.website.com:8069/ so i tried to create the virtualhost.
I opened the file /etc/httpd/conf/httpd.conf
and added the line
Listen 80
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot "/var/www/vhosts/website.com/httpdocs"
ServerName www.website.com
ServerAlias website.com
ProxyPass / http://www.website.com:8069/
ProxyPassReverse / http://www.website.com:8069/
</VirtualHost>
and restarted the server
/sbin/service httpd restart
but its not working
it is not giving any error and nor working
The only solution if you want to use http://www.website.com/ is to open port 80 on the server or server's router.
you should check via netstat if the apache process is listening to port 80 via
netstat -tulpn
next to check is local firewall. Check with
iptables -L
if the command lists entries iptables is active. You can turn it of with
/etc/init.d/iptables stop
or add an entry for port 80
/etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
if that doesn't help you should check the apache logs under
/var/log/httpd/

SSL installed on Apache2 but HTTPS not working

I recently installed an SSL certificate on my Amazon EC2 Ubuntu 12.04(32bit) server running Apache 2.
When I attempt to access my site via https, it does not load. When I perform an nmap scan, i see that port 443 is not open.
I tried to open port 443 in my ip tables to no avail. iptables -L yeilds
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Here's how I installed ssl
I modified /etc/init.d/apache2.conf to include ssl.conf and modified ssl.conf to include the requisite
paths of my certificate files, ie
SSLCertificateFile /path/file
SSLCertificateKeyFile /path/file
SSLCertificateChainFile /path/file
I configured my security group to allow inbound requests from port 443 (TCP source:0.0.0.0/0)
When I perform the following test with php
if (!extension_loaded('openssl'))
{
echo "not loaded";
}
else
{
echo "loaded" ;
}
I get "loaded".
Any ideas?
In httpd-ssl.conf, do you have
Listen 443
If not, try adding that, and restarting apache.
First check if mod_ssl is enabled. If not, enable it by running a2enmod ssl. Then check if Apache is listening on port 443 for https. Then check if the firewall is not blocking port 443.
If anyone else finds this and is using Amazon Lightsail (like me), you have to use their web UI to explicitly open port 443.
I spent hours pouring over my server config files before I discovered that :/
In httpd.conf the following is disabled by default:
# Secure (SSL/TLS) connections
# Include conf/extra/httpd-ssl.conf
Simply remove the # from the Include and restart Apache.
If you can connect locally (e.g. with telnet localhost 443 as mti suggests), check if the firewall is configured properly.
In my case, ufw was blocking everything, so I had to ufw allow 443 which fixed the underlying problem to the same symptom.
I just ran into a situation where there was a process listening on port 443, the firewall was completely open, SELinux was disabled, and I still couldn't telnet to port 443. Not even from the localhost. I kept getting:
telnet 127.0.0.1 443
telnet: connect to address 127.0.0.1: Connection refused`
It turns out the iptables NAT table had some rules redirect traffic coming in on port 443 to a different port (8443). Nothing was listening on port 8443.
# iptables --table nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443
Removing the relevant NAT entries fixed the problem for me.
For me it's the stupid Chrome cache. Ctrl + Shift + Del to clear the cache, restart Chrome, and SSL is correctly working now.
If the SSL keys are not set (or were inexplicably commented out by gremlins), Apache 2.2 SSL will silently fail. There will be no error in the log, and it will not be listening to 443. The http:80 sites will work.
First, Check processes on port "80" and "443" sudo netstat -peanut | grep ':80' and *sudo netstat -peanut | grep ':443'* .If 443 is has no process then this would help:
Editing the Apache configuration file to serve the cert works well.
Use the command sudo certbot --apache
You are good
Sometimes an iptables -F works. I had the port 443 open for inbound in Amazon, but still the site was not opening in my browser.
Logged on to the site, gave an iptables -F and immediately the site was accessible.