I have a webserver on my raspberry pi, my url I bought on strato.de and my dyndns is on noip.com. The redirecting from my url to the raspberry pi is fine and works. Now I wanted to use automatically redirection from http-request to https. Therefore I installed letsencrypt and create a ssl certificate file. Also I enabled ssl on strato.de for my url. I tested it with https://www.myurl.de/ and it works but if I use http://www.myurl.de I get this error:
Network Error (tcp_error)
A communication error occurred: "Connection refused"
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
Transaction ID: b5151b4415351db8-000000008e3c905d-000000005c177c1e
For assistance, contact your network support team.
Your request was categorized by Blue Coat Web Filter as 'Dynamic DNS Host'.
If you wish to question or dispute this result, please click here.
It sounds to me as something in the config-files are wrong. Therefore is here my code of the 000-default.conf and default-ssl.conf file.
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</IfModule>
</VirtualHost>
default-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/<noip-dyndns-name>.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<noip-dyndns-name>.com/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Does someone see my mistake I made?
Related
This question already has answers here:
Is it possible to have SSL certificate for IP address, not domain name? [closed]
(7 answers)
Closed 10 months ago.
I'm trying to host a site on my server(vultr) The site is live and I have a domain name from Namecheap pointed to it. I have used Let's Encrypt and have https for www.example.com and example.com.
I also have it set so when you enter the ip like: http://111.222.33.444 it directs to the secured domain name. So everything up to this point works just as I expected, but then I encounter this problem: if someone enters https:///111.222.33.444 the untrusted website warning page comes up. I want this to also just direct to https://example.com.
I have .conf files for http and https. I probably also have too much rubbish in these files, so probably need to write these more efficiently.
home.conf:
<VirtualHost *:80>
ServerAdmin admin#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/home
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerName 111.222.33.444
ServerAlias 111.222.33.444
UseCanonicalName Off
Redirect "/" "https://www.example.com/"
#ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
home-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/home
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
ServerName 111.222.33.444
ServerAlias 111.222.33.444
UseCanonicalName Off
Redirect "/" "https://www.example.com"
ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
This is nothing to do with Apache configuration; an SSL certificate has to be valid for the URL you request. From the point of view of the browser, following a redirect response requires exactly the same trust in the certificate as rendering some content from the response.
From a security point of view, imagine I intercept your wi-fi signal and respond to a request for https://www.facebook.com with a redirect to https://www.my-evil-hacking-site.com (or something less obvious). If the browser follows that redirect without checking the certificate I present, I've successfully defeated the security provided by the certficate validation.
From a technical point of view, note that a TLS (formerly known as SSL) connection is negotiated before any HTTP request is made at all, and the redirect you're trying to issue is an HTTP response. There actually had to be an extension to TLS to allow the requested hostname to be transmitted as part of that negotiation, to allow for multiple virtual hosts on one IP address. If the browser rejects the certificate the server offers at this stage, it will never send an HTTP request for you to respond to.
So, as far as the browser is concerned, you need to present a certificate which is valid for https:///111.222.33.444. See: Is it possible to have SSL certificate for IP address, not domain name? to which the answer is "Yes, but it's rare". Also note that Let's Encrypt do not issue such certificates.
The reason it's rare is that there's generally no reason for anyone to try to browse to https:///111.222.33.444 in the first place. Redirects are mostly just a convenience to the user, and certificate checks are about protecting the user, not protecting the server; so just leaving it as a certificate error is generally fine.
my configuration file for redirecting http to https is not working. I have tried different options found in StackOverflow
Apache virtual host redirect http to https
plus external resources like https://www.digitalocean.com/community/tutorials/how-to-create-temporary-and-permanent-redirects-with-apache-and-nginx
https://www.digitalocean.com/community/tutorials/how-to-rewrite-urls-with-mod-rewrite-for-apache-on-debian-10
the alias_mod and rewrite_mod are enabled (in the mods-enables folder)
port 80 and 443 are enabled (in the ports.conf file)
I have also tried with htacces in the project folder but I would rather not to use it
At the moment I have two conf files (one for the HTTP and the other for the https, as for default-guidelines conf files existing in the apache2 folder)
The app works on BOTH https and HTTP but there is no redirect (not in the network in the development tools and I cannot get any info from the logs)
The app has an internal redirect from "/" to the "/login" : I do not know if it can cause any issue
These are the conf files:
1- example.con
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName example.com
DocumentRoot /var/www/assets/eit_resource_manager_frontend/build
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RedirectMatch ^(.*)$ https://example.com$1
</VirtualHost>
2- example.ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
ServerName example.com
DocumentRoot /var/www/assets/eit_resource_manager_frontend/build
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
I'm using certbot to set up an ssl certificate on a domain (mydigitalbalance.com). I am changing the domain from a previous staging domain that I was using in order to do testing. In order to make sure there were no conflicts, I followed certbot's apache2 instructions and completely deleted all previous certificates that were on the server as well as certbot itself.
I re-installed certbot following the instructions, added two certificates for the naked domain and for www, and re-started apache.
However as you can see if you go to the URL, it is still showing as an insecure website.
I wanted to take a closer look at the certificate so in chrome I clicked on "Not Secure" in the url bar, and clicked on Certificate.
It says on the first dropdown that the certificate is invalid:
However when you click into the certificate itself, it correctly says it's a valid cert and that it is not expired and was issued by Lets Encrypt:
What is happening here? how do I fix it?
I completely commented out all the default .conf information on my setup, and the only conf is for mydigitalbalance.com, here is my mydigitalbalance.conf:
# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mydigitalbalance.com
ServerAlias www.mydigitalbalance.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydigitalbalance.com [OR]
RewriteCond %{SERVER_NAME} =mydigitalbalance.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
and here is the mydigitalbalance-le-ssl.conf that was automatically generated when i restarted apache:
GNU nano 4.8 mydigitalbalance-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName mydigitalbalance.com
ServerAlias www.mydigitalbalance.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.mydigitalbalance.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydigitalbalance.com/privkey.pem
</VirtualHost>
</IfModule>
Is this a propagation issue?
I have an SSL certificate from Certbot for "mysite". When I use FF or Chrome to go to mysite (with or without using the http:// prefix) I get to the non-SSL site. No redirect happens. But when I use Edge, my redirect works and I automatically get to https://mysite. In FF, when I get to the non-SSL site then I reload the page, I DO get to the SSL site. In Chrome, I cannot get to the SSL site, even if I enter the https://. The 2 sites are on the same Windows machine (using Apache server) with virtual hosts for ports 80 and 443. What am I missing?
Here are my virtual host directives:
<VirtualHost *:80>
ServerAdmin dforeman#stny.rr.com
DocumentRoot "${djpath}"
ServerName dforeman.homedns.org
Redirect / https://dforeman.homedns.org
ErrorLog "E:/logfiles/new-v80.log"
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost _default_:443>
# DO NOT replace _default_ above
# General setup for the virtual host
DocumentRoot "E:/DJs Documents/apublic_html"
ServerName dforeman.homedns.org
ServerAdmin dforeman#stny.rr.com
ErrorLog "E:/logfiles/verror.log"
TransferLog "E:/logfiles/vhttp-access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile "C:/fullchain.pem"
SSLCertificateKeyFile "C:/privkey.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "${SRVROOT}/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
Here is what I use in my https forwards:
<VirtualHost *:80>
ServerAdmin dforeman#stny.rr.com
DocumentRoot "${djpath}"
ServerName dforeman.homedns.org
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
ErrorLog "E:/logfiles/new-v80.log"
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
Note: I don't use .htaccess files to achieve this.
I am trying to get a secured connection on Apache2 working but i am having a hard time. The operating system is a new install of Ubuntu 18.04 (reinstalled today as i have been running around in circles trying to eliminate reasons this isn't working).
I can get http working, and https works using internal ip address only. External ip address gives me connection timed out.
The content i was trying to serve was a php application but at the moment i am using a single html page with one line of text until i can get this working.
Here are my VirtualHost settings.
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/http
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/http
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/cloudflare/ocdev.pem
SSLCertificateKeyFile /etc/cloudflare/ocdev.key
SSLCACertificateFile /etc/cloudflare/origin.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
I have enabled ssl using a2enmod ssl command.
Happy to provide any more information if it will help.
Please assist!