Why is apache enforcing SSL (https)? How to undo this? - ssl

We are running a multi-host apache2 environment for several years. Out of a sudden apache no seems to require https.
Some trivial websites are cofigured without certificates on port 80 (and with self signed or let's-encrypt certificates on port 443).
With the recent automatic renewal of a let's-encrypt certificate I got an error message related to problems to retrieve the acme-challenge via http.
It seems to be related to a recent change of the default configuration of apache2 under Debian 4.19.x .
However I did not find any option in apache2 to undo the enforcement for SSL.
Here is my configuration for on of the respective vhost's (the problem exists also for another host):
<VirtualHost *:80 >
ServerName www.antXXX.XX
ServerAlias antXXX.XX *.antXXX.XX
ServerAdmin webmaster#...
DocumentRoot /data/www/htdocsantXXX
ErrorDocument 503 /ausserBetrieb.html
<Directory /data/www/htdocsantXXX>
Options FollowSymLinks MultiViews
<RequireAll>
require all granted
</RequireAll>
RedirectMatch ^/$ /index.html
</Directory>
ErrorLog /var/log/apache2/antXXX/errorantXXX.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/log/apache2/antXXX/accessantXXX.log combined
ServerSignature On
</VirtualHost>
<VirtualHost *:443>
ServerName www.antXXX.XX
ServerAlias antXXX.XX *.antXXX.XX
ServerAdmin webmaster#...
DocumentRoot /data/www/htdocsantXXX
...
</VirtualHost>
I was not able to find the respective option in the basic configuration of apache nor the error document that contains the HTML-Text for "This site is configured to require an SSL (https) connection...".
I know that there is the http-option Upgrade-Insecure-Requests: 1 . However the problem also exists, when retrieving the web document locally with curl -v http://www.antXXX.XX .
How can I undo the https-requirement for the respective vhosts?
Thank you for you support
Wallenstein

Oh sorry. Finally I have found the culprit.
I have recently experimented with the yubikey authorization in the module authn-yubikey .
Its activation seemed to enforce https. At least I found the respecitive HTML-code via the strings-command.
After disabling this module http-access was available again.
Wallenstein

Related

Apache2 fails to find the requested URL when accessed via a domain name, but functions perfectly via an IP address?

I've recently been migrating a small website on a VPS from a rudimentary and static one to the Flask framework, via WSGI/Apache2. However, while access to the website is functional when accessing from a browser using the IP address, use of the domain name brings the standard and nonspecific Apache2 message "The requested URL was not found on this server." My VHost is as follows:
<VirtualHost *:443>
ServerName slow.estate
ServerAlias www.slow.estate
ServerAdmin my.email#gmail.com
WSGIScriptAlias / /var/www/se/se.wsgi
<Directory /var/www/se/se/>
Order allow,deny
Require all granted
</Directory>
Alias /static /var/www/se/se/static
<Directory /var/www/se/se/static/>
Order allow,deny
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I've tried this both with the VHost set to port 80 (and, of course, with SSLify disabled) and with SSL and port 443, with no difference. The problem also persists no matter if I use Apache's older Allow from all or the newer Require all granted in my VHost. In the VHost above, the website will not work at all. If I modify the ServerName to be the IP address, then it works exclusively when that IP address is entered into the browser. Each time I try and fail to use the website in the above manner, a relevant entry is made in access.log, and no entry is made in error.log.
I've only found one other person out there with a similar problem to me, and that seemed just to be that their nonstandard TLD was being misinterpreted by their browser, which is why I mention that my TLD is .estate. I doubt, surely, that this could be the issue, especially when this issue, unlike the other person's, plagues me across browsers?

Apache2 reverse proxy issues with OTRS

I have asked this question in OTRS forum but their primary focus is the functionality of OTRS and not really the interaction with an apache proxy.
I have an internal server running OTRS (Perl based support ticket system).
I have a reverse proxy in my DMZ that performs proxy and SSL offload for internal web pages/applications. My proxy server is Ubuntu 18 with Apache2. It mostly works except that for OTRS I get weird page errors. It used to not be bad but since update from OTRS 5 to OTRS6 it is so bad that we cannot we https except to log in.
If I use https it throws a message that "OTRS has detected possible network issues" and says to reload the page or wait till the browser establishes connection on it's own. If I wait just a bit I get a new message that states "the connection has been re-established after a temporary connection loss. Due to this elements on this page could have stopped working correctly" it goes on to say that you need to reload the page. But it just keeps cycling through these message in a flapping error.
I also get additional slash marks (/) each time I move to a new ticket.
Like so: https://myotrs.mydomain.com/otrs////////////index.pl?
The slash mark addition happens on both http and https through the proxy. It only happens on the OTRS site, not on my others handled by the same proxy.
Here is sample of my proxy vhost file.
<VirtualHost *:443>
ServerName help.mydomain.com
ServerAlias help.mydomain.net
ServerAdmin it#mydomain.com
ErrorLog /var/log/apache2/proxiedhosts-ssl_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/access-ssl.log combined
ProxyRequests off
ProxyPass / http://helpdesk.mydomain.local/
<Location /otrs>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
<Location /otrs-web>
ProxyPassReverse http://helpdesk.mydomain.local/otrs-web/
</Location>
# Use mod_proxy_html to rewrite URLs
SetOutputFilter proxy-html
# commented out
https://help.mydomain.com/otrs/
https://help.mydomain.com/otrs-web/
# Disable compressed communication between Apache and target server
RequestHeader unset Accept-Encoding
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Allows the proxying of an SSL connection
SSLProxyEngine On
# certificate
SSLCertificateFile /etc/ssl/certs/help.mydomain.com/help.mydomain.com.crt
SSLCertificateKeyFile /etc/ssl/private/SHA2_mydomain.key
</VirtualHost>
I have checked out your config file, and i suggest you try to change
<Location /otrs>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
to
<Location /otrs/>
ProxyPassReverse http://helpdesk.mydomain.local/otrs/
</Location>
In the original config file, if you browse https://myotrs.mydomain.com/otrs/index.pl you will be redirect to https://myotrs.mydomain.com/otrs//index.pl. And then, if you click the page, you will be redirect to https://myotrs.mydomain.com/otrs///index.pl. Then you are stuck in the circulation.

Confluence - Redirect to new name

We had confluence running in our company with the URL https://confluence:8443
We changed the domain name - let's say it is https://abc:8443. so server, same Apache instance and it has the new name and the cert for "abc"
It runs on Apache/TomCat, we could not figure out how to make this conversion look seamless to the users, so we created port 80 on the same server (say, server A) and installed confluence certificate on it and created a redirect to
Now if a user goes to http://confluence, it will go to the DNS server finds server A's IP goes to the IIS, get the redirect rule and goes https://abc:8443.
If a user goes to https://abc:8443, no problems there.
but if a user goes to http://confluence:8443 (most of the users have this bookmarked), it gets the cert error.
Can anyone please suggest a way to make this work in confluence, that is tomcat/Apache?
Thanks for your time.
Thanks,
Shiyam
You have two options:
Option 1: Server Name Indication
If your client browsers all support it, you can configure your HTTPD to use Server Name Indication (SNI), which allows the client to tell the server which host it is requesting. This assumes that you already have two distinct SSL certs for "abc" and "confluence", and that you configure the appropriate SSL certificate under each VirtualHost.
Of note is that Internet Explorer on Windows XP does not support SNI, but since Windows XP has already reached End of Life, your organization hopefully no longer has any such clients.
The example from the SNI page above, for reference, is:
Listen 192.168.1.1:443
LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin
AcceptMutex flock
SSLSessionCache shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
NameVirtualHost 192.168.1.1:443
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "one.example.com"
DocumentRoot "/var/www/html/one"
CustomLog "/var/log/httpd/one-access.log" combined
ErrorLog "/var/log/httpd/one-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "two.example.com"
DocumentRoot "/var/www/html/two"
CustomLog "/var/log/httpd/two-access.log" combined
ErrorLog "/var/log/httpd/two-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
Option 2: Wildcard SSL Certificate
If your server or clients do not both support SNI, but if "abc" and "confluence" are hosts on the same domain, you can also get a wildcard SSL certificate.
For example, if you obtain a wildcard cert for *.example.com, your single httpd server will be able to handle HTTPS requests for both abc.example.com and confluence.example.com without error.

Apache accepts all websites that point to server

I only have two websites pointed to my server IP, Asite.com and Bsite.com. I tried adding a website, so I pointed Csite.com to my server IP (but I haven't registered a virtualhost for site3.com yet). How come when I access Csite.com apache recognizes it as Asite.com even if I haven't registered a virtualhost for Csite.com?
httpd.conf
Listen 8080
NameVirtualHost *:8080
Asite.com
<VirtualHost *:8080>
ServerAdmin webmaster#localhost
ServerName asite.com
ServerAlias asite.com *.asite.com
DocumentRoot /var/www/asite.com/public
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/asite.com/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/httpd/error_log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
</VirtualHost>
^The same goes for Bsite.com
The first virtualhost is also the default:
"The asterisks match all addresses, so the main server serves no requests. Due to the fact that www.example1.com is first in the configuration file, it has the highest priority and can be seen as the default or primary server. That means that if a request is received that does not match one of the specified ServerName directives, it will be served by this first VirtualHost."
See 'Running several name-based web sites on a single IP address.' http://httpd.apache.org/docs/2.0/vhosts/examples.html
It uses the first-listed one, when it has no ServerName match.
You'll find you can also use the raw IP address to access Asite.com.
If you feel uncomfortable with that, you could create a different virtual host as the first one listed for <VirtualHost *:8080>, and configure so it just Redirects somewhere else. Or gives a 404 message, etc.
This is happening because you pointed the csite.com to your local host and the first virtual host is recognized as local host so if you switch around siteA and siteB so it would be virtual host for sure b first and type in your browser "localhost" or sitec.com it will show siteb.com
Don't worry; this isn't a problem. It is supposed to happen.
You didn't actually point sitec.com to localhost but I if you created it in your hosts file our pointed it to your domain it will take you to the first specified file!

Setup Dynamic Virtual Host (Apache2 on Ubuntu)

I want to set up a single virtual host that can dynamically handle all requests based on the hostname used to access it. If %{HTTP_HOST} could be used in a DocumentRoot, this is probably exactly what I want:
<VirtualHost *:80>
ServerAdmin me#example.com
DocumentRoot /var/www/live/%{HTTP_HOST}/public
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/live/%{HTTP_HOST}/public>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
ErrorLog /var/www/live/%{HTTP_HOST}/logs/error.log
CustomLog /var/www/live/%{HTTP_HOST}/logs/access.log combined
</VirtualHost>
...unfortunately, %{HTTP_HOST} is not allowed in the DocumentRoot (Warning: DocumentRoot [/var/www/live/%{HTTP_HOST}/public] does not exist). How else can I achieve my goal?
Update: I thought of pointing a catch-all vhost to a single directory and having a .htaccess use mod_rewrite to dynamically select the path but (honestly) I'm exhausted. I'll try at it again in the morning, but in the meantime, if anyone has good ideas, I'd love to hear them! Thank you!
Maybe you can try the following solution from this article: Apache: Dynamic Virtual Hosts
A few months back I looked for a solution to overcome the problem of
creating individual Virtual Hosts in Apache every time I wanted to
configure a new site on a development machine (something that is a big
issue in work where we have a lot of websites). Apache is able to
support this functionality relatively easy using a module and a few
lines in the configuration file. I set this up on Fedora 14, so
results may be slightly different for other OS's (different paths,
configuration file setup, etc)
Open up the main Apache conf (/etc/httpd/conf/httpd.conf), and ensure
the module mod_vhost_alias is enabled. There should be a line in the
configuration like
LoadModule vhost_alias_module modules/mod_vhost_alias.so
Next, add the
following lines to the bottom of this file. You'll need to edit the
file with sudo privileges.
NameVirtualHost *:80
UseCanonicalName Off
<VirtualHost *:80>
VirtualDocumentRoot /var/www/html/domains/%0
</VirtualHost>
This sets up a catch all for any domain coming in over port 80 (the
default port for http traffic, if your using https you will need to
use 443 - alternatively you could remove the port restriction). The
important line here is the VirtualDocumentRoot. The tells Apache where
your files will reside on disk. The %0 part takes the whole domain
name and inserts it into the path. To illustrate this if we went to a
domain testing.com.dev the VirtualDocumentRoot would be:
/var/www/html/domains/testing.com.dev
This type of configuration might
be suitable for most situations, however I didn't want to have the
.dev part of the domain in my folders on disk. I was able to achieve
this by setting the VirtualDocumentRoot to:
VirtualDocumentRoot /var/www/html/domains/%-2+
The above example of testing.com.dev would now point to:
/var/www/html/domains/testing.com
Remember to add the domain to your
hosts file (/etc/hosts)
For a full list of options see the mod_vhost_alias documentation.
Additional documentation can be found here.
The official methods for achieving dynamic virtual hosts are explained in the Apache documentation:
http://httpd.apache.org/docs/2.0/vhosts/mass.html