Malformed Request Line With SSL on Ubuntu - ssl

I'm in the process of setting up a droplet at DigitalOcean. I would like to serve multiple sites from the same droplet and use LetsEncrypt SSL certs. When accessing a test site, I see an error in the logs "AH00566: request failed: malformed request line" and in the Chrome I see "ERR_SSL_PROTOCOL_ERROR".
It seems that I likely have a configuration error somewhere but am not sure where.
The conf for my site is:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /var/www/mydomain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydomain.com [OR]
RewriteCond %{SERVER_NAME} =mydomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
<Directory /var/www/mydomain.com>
AllowOverride All
</Directory>
ServerAdmin webmaster#localhost
ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /var/www/mydomain.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
</VirtualHost>

Related

Second VHost pointing to first on Apache Web Server

I followed this tutorial to get Vhosts working on my website. https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-18-04-quickstart. For my second site at reporting.mydev.site, my website still redirects to my main website at mydev.site. I am using Apache as my HTTP server, here are my two .conf files for my main server and my new Vhost.
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mydev.site
DocumentRoot /var/www/mydev.site/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www>
AllowOverride All
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =mydev.site
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
And here is the .conf file for the vhost I cannot get to work
<VirtualHost *:80>
ServerName reporting.mydev.site
ServerAdmin webmaster#localhost
DocumentRoot /var/www/reporting.mydev.site/public_html
ServerAlias www.reporting.mydev.site
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I found the problem, the issue was that I needed to create the https version of this file using certbot "reporting.mydev.site-le-ssl.conf". my second vhost was pointing to the first only for the https version but for the http only version it was correctly pointing to my new website.

Apache virtualhost root, www and sub-domain setup including http to https

I'm pretty stuck. Would appreciate some help.
Two websites (wordpress and another php tool) on an AWS EC2 Ubuntu
18.04 instance running LAMP stack.
My intention is to achieve:
http://www.example.com
http://example.com
https://www.example.com
to: https://example.com.
AND
http://app.example.com
to: https://app.example.com.
I had virtualhost configured and working as I intended, I then created the https cert through letsencrypt which setup the HTTP to HTTPS redirects...however...something's gone wrong:
HTTP all redirect to HTTPS.
https://app.example.com resolves to the intended website - website1.
https://example.com doesn't resolve to website2 - it resolves to website1 - note it's not redirecting to app. but showing website1 on https://example.com.
I've two virtualhost conf files, one for each site. Both contain each sites 80 and 443 config, they're below.
The SSL cert has the common name of example.com and lists alternative names for app.example.com, www.example.com and example.com.
DNS has example.com A to server IP, www. and app. are CNAME to example.com.
app.example.com.conf - Website 1
<VirtualHost *:80>
ServerAdmin jimmy#example.com
DocumentRoot /var/www/website1/
ServerName example.com
ServerAlias app.example.com
<Directory /var/www/website1/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =app.example.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin jimmy#example.com
DocumentRoot /var/www/website1
ServerName example.com
ServerAlias app.example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/website1/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>
example.com.conf - Website 2
<VirtualHost *:80>
ServerAdmin jim#example.com
ServerName example.com
ServerAlias example.com
DocumentRoot /var/www/website2
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/website2/>
AllowOverride All
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin jim#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/website2
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/website2/>
AllowOverride All
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin jim#example.com
ServerName example.com
ServerAlias example.com
DocumentRoot /var/www/website2
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/website2/>
AllowOverride All
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin jim#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/website2
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/website2/>
AllowOverride All
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>
I'd really appreciate any help, suggestions and any other ideas!
https://example.com doesn't resolve to website2 - it resolves to website1 - note it's not redirecting to app. but showing website1 on https://example.com
Yes, because all your vHosts define example.com as the ServerName and I expect website1 appears first in the config.
For app.example.com.conf (Website 1) you should set ServerName app.example.com and remove the ServerAlias directive altogether for both the vhost:80 and vhost:443 containers.
The HTTP to HTTPS redirect in the vhost:80 container:
RewriteEngine on
RewriteCond %{SERVER_NAME} =app.example.com [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Can be simplified to a single mod_alias Redirect directive:
Redirect 301 / https://app.example.com/
For example.com.conf (Website 2) you have duplicated the vhost:80 and vhost:443 containers and defined the same ServerName example.com in each - this is an error. It is perfectly possible to have 4 containers like this (and use mod_alias Redirect directives), but you would need unique ServerName directives for each vHost and cut down the repetition.
The easiest approach from your point of view is probably just to remove the second (duplicate) vhost:80 and vhost:443 containers and set the following in both the vhost:80 and vhost:443 containers that remain.
ServerName example.com
ServerAlias www.example.com
I then created the https cert through letsencrypt which setup the HTTP to HTTPS redirects
Creating the SSL cert using LetsEncrypt should not have "setup the HTTP to HTTPS redirects"?

Apache2 Force redirect to HTTPS doesn't work

I'm trying to set redirect of all trafic to HTTPS. But when I access http://example.com it gives "403 Forbidden" error. With HTTPS everything works good.
My /etc/apache2/apache2.conf has everything by default except of:
<Directory /home/site/www>
Options -Indexes
AllowOverride All
Require all granted
</Directory>
My /etc/apache2/sites-available/example.com.conf looks like this:
<VirtualHost *:443>
ServerAdmin admin#example.com
DocumentRoot /home/site/www
ServerName example.com
ServerAlias www.example.com
SSLEngine on
SSLCertificateFile /home/site/.ssl/example_com.crt
SSLCertificateKeyFile /home/site/.ssl/example.key
SSLCertificateChainFile /home/site/.ssl/example_com.ca-bundle
ErrorLog /home/site/www/errors.php
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
My .htaccess looks like this:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
The website is hosted on Ubuntu 16.04. on Google Cloud. The same setup but on Amazon AWS works good and rewrites all requests to HTTPS.
Solved.
Just had to sudo a2dissite 000-default.conf and add:
<VirtualHost *:80>
ServerAdmin admin#example.com
DocumentRoot /home/site/www
</VirtualHost>
to /etc/apache2/sites-available/example.com.conf

Apache htpasswd for multiple websites/dirs?

I'm not 100% familiar how htpasswd works, but i'm wondering if it is possible.
I have one server with one IP and multiple domains there. I need to password protect all of those domains but if possible only at one place. I don't want to go around and make htpasswd for each website.
Assuming that i have all websites places under /var/www/{vhost dirs}
Is it possible at all and how and how?
Multiple domain on single IP is possible from virtual host configuration in apache.
E.g I am running few domains on single machine :
www.internationalworkersday.com
www.internationallabourday.com
www.internationlaborday.com
www.internationalworkersday.org
www.apnok.com
#Here is virtual host configuration in httpd.conf
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
<VirtualHost *:80>
ServerAdmin www.apnok.com
DocumentRoot /home/ap/
ServerName www.apnok.com
ServerAlias apnok.com *.apnok.com
ErrorLog logs/error_log
CustomLog logs/access_log common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin www.internationalworkersday.com
DocumentRoot /home/iwd/
ServerName www.internationalworkersday.com
ServerAlias internationalworkersday.com
ErrorLog logs/error_log
CustomLog logs/access_log_iwd common
</VirtualHost>
<VirtualHost *:80>
# ServerAdmin www.internationallabourday.com
DocumentRoot /home/ild/
ServerName www.internationallabourday.com
ServerAlias internationallabourday.com
# ErrorLog logs/error_log
#CustomLog logs/access_log_ild common
RewriteEngine On
RewriteCond %{HTTP_HOST} ^internationallabourday\.com [NC]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ http://www.internationalworkersday.com
#DirectoryIndex index.php index.php.var
</VirtualHost>
<VirtualHost *:80>
ServerAdmin www.internationallaborday.com
DocumentRoot /home/ila/
ServerName www.internationallaborday.com
ServerAlias internationallaborday.com
ErrorLog logs/error_log
CustomLog logs/access_log common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin www.internationalworkersday.org
DocumentRoot /home/iwd/
ServerName www.internationalworkersday.org
ServerAlias internationalworkersday.org
ErrorLog logs/error_log
CustomLog logs/access_log_org common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin www.internationallabourday.org
DocumentRoot /home/ild/
ServerName www.internationallabourday.org
ServerAlias internationallabourday.org
ErrorLog logs/error_log
CustomLog logs/access_log_org common
</VirtualHost>

Apache 2.4 Restrict SSL to specific subdomain Vhosts

I have a single digitalocean droplet, with only a single IPV4 address possible. I would like to use SNI to apply TLS (SSL) encryption onto only a specific subdomain, and not any other parts of the domain.
Example being:
domain.com (No TLS)
sub.domain.com (TLS, certificate 1)
sub1.domain.com (TLS, certificate 2)
sub2.domain.com (no TLS)
I'm using LetsEncrypt for the certificates, so wildcard domains are not possible.
domain.com.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sub.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
</IfModule>
sub1.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub1.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
</IfModule>
sub2.domain.com
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub2.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Two things you should be aware of:
You never know which protocols users are going to use. They will default to http if protocol not defined and some browser extensions will try https first and use that if it exists.
Apache will fallback to the first site defined for that port if there's not a better match. In which case you might end up serving the wrong site if, for example, you don't define a sub2.domain.com site on port 443.
So you should define all 4 domains on both port 80 and port 443 and basically have 8 vhosts defined.
This also means will need to buy (or get for free from LetsEncrypt) certificates to cover all domains and not just the two you want to serve over https.
Then you should use redirects appropriately:
domain.com (No TLS): Serve site on port 80. Config for port 443 should just redirect all traffic back to equivalent page on http://domain.com
sub.domain.com (TLS, certificate 1): Serve site on port 443. Config for port 80 should just redirect all traffic back to equivalent page on https://sub.domain.com
sub1.domain.com (TLS, certificate 2): Similar to sub.domain.com setup mentioned in point 2 above.
sub2.domain.com (no TLS): Similar to domain.com set up mentioned in point one above.
Example config:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sub.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
</VirtualHost>
</IfModule>
sub1.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub1.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
</VirtualHost>
</IfModule>
sub2.domain.com
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub2.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-domain.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-domain.key
RewriteEngine On
RewriteRule (.*) http://%{SERVER_NAME}/%$1 [R,L]
</VirtualHost>
sub.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-subdomain.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-subdomain.key
</VirtualHost>
</IfModule>
sub1.domain.com
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub1.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-subdomain1.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-subdomain1.key
</VirtualHost>
</IfModule>
sub2.domain.com
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName sub2.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-subdomain2.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-subdomain2.key
RewriteEngine On
RewriteRule (.*) http://%{SERVER_NAME}/%$1 [R,L]
</VirtualHost>
However if going to all this hassle then might want to rethink not serving everything over https.