I have a website with CloudFlare protection, seems good at too, but if you enter the original IP adress of my server you can enter normally.
I'm using Apache (XAMPP) and SSL (https://)
I want something similar when you enter from the IP address with CloudFlare, which throws error 1003
Edit or create a default vhost and put this inside:
<VirtualHost *:80>
ServerName xxx.xxx.xxx.xxx
Redirect 403 /
DocumentRoot /var/www/html
</VirtualHost>
xxx.xxx.xxx.xxx is your server ip address
After that restart your apache
sudo a2ensite your-vhost.conf
sudo systemctl restart apache2
Hope that helps
You can verify if the domain received in the request matches your site domain. If not, force a redirection to the user. Like so:
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.example.com
RewriteRule (.*) https://www.example.com$1 [R=301,L]
So IP accesses will be forced back to the domain name.
Obviously, you could return anything, this is just one method I see often.
Under the ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
i just copied my 000-default-ssl.conf as disable-ip.ssl.conf and put below the content
cd /etc/apache2/sites-available
cp 000-default-ssl.conf disable-ip.ssl.conf
content of disable-ip.ssl.conf vhost file
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root#localhost
ServerName localhost
ServerAlias XXX.XXX.XX.XX # here write ip adresss of your web site
UseCanonicalName Off
Redirect 403 /
ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
then
a2ensite disable-ip.ssl.conf
service apache2 restart
Related
This question already has answers here:
Is it possible to have SSL certificate for IP address, not domain name? [closed]
(7 answers)
Closed 10 months ago.
I'm trying to host a site on my server(vultr) The site is live and I have a domain name from Namecheap pointed to it. I have used Let's Encrypt and have https for www.example.com and example.com.
I also have it set so when you enter the ip like: http://111.222.33.444 it directs to the secured domain name. So everything up to this point works just as I expected, but then I encounter this problem: if someone enters https:///111.222.33.444 the untrusted website warning page comes up. I want this to also just direct to https://example.com.
I have .conf files for http and https. I probably also have too much rubbish in these files, so probably need to write these more efficiently.
home.conf:
<VirtualHost *:80>
ServerAdmin admin#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/home
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerName 111.222.33.444
ServerAlias 111.222.33.444
UseCanonicalName Off
Redirect "/" "https://www.example.com/"
#ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
home-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/home
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
ServerName 111.222.33.444
ServerAlias 111.222.33.444
UseCanonicalName Off
Redirect "/" "https://www.example.com"
ErrorDocument 403 "Sorry, direct IP access not allowed."
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
This is nothing to do with Apache configuration; an SSL certificate has to be valid for the URL you request. From the point of view of the browser, following a redirect response requires exactly the same trust in the certificate as rendering some content from the response.
From a security point of view, imagine I intercept your wi-fi signal and respond to a request for https://www.facebook.com with a redirect to https://www.my-evil-hacking-site.com (or something less obvious). If the browser follows that redirect without checking the certificate I present, I've successfully defeated the security provided by the certficate validation.
From a technical point of view, note that a TLS (formerly known as SSL) connection is negotiated before any HTTP request is made at all, and the redirect you're trying to issue is an HTTP response. There actually had to be an extension to TLS to allow the requested hostname to be transmitted as part of that negotiation, to allow for multiple virtual hosts on one IP address. If the browser rejects the certificate the server offers at this stage, it will never send an HTTP request for you to respond to.
So, as far as the browser is concerned, you need to present a certificate which is valid for https:///111.222.33.444. See: Is it possible to have SSL certificate for IP address, not domain name? to which the answer is "Yes, but it's rare". Also note that Let's Encrypt do not issue such certificates.
The reason it's rare is that there's generally no reason for anyone to try to browse to https:///111.222.33.444 in the first place. Redirects are mostly just a convenience to the user, and certificate checks are about protecting the user, not protecting the server; so just leaving it as a certificate error is generally fine.
I am facing a problem of certificate SSL.
I have a dedicated host, and I cannot get what I am missing to receive the error by navigator:
Chrome:
NET::ERR_CERT_COMMON_NAME_INVALID
Mozilla:
SSL_ERROR_BAD_CERT_DOMAIN
Messages in browser are quite similar:
Impossible to verify from server that it is truly domain: site2.com, because its certif of security come from *.sub.site1.com. It may come from a bad config or connection getting catch by pirate. (translated message)
So it seems that the certificate is not taken while it goes threw vitrual box:
<VirtualHost *:80>
ServerName www.site2.com
ServerAlias site2.com
Redirect permanent / https://site2.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.site2.com
ServerAlias site2.com
DocumentRoot /var/www/site2
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.site2.com'">
Redirect permanent / https://site2.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/site2-error.log
CustomLog ${APACHE_LOG_DIR}/site2-access.log combined
SSLEngine On
SSLCertificateFile /home/certifs/site2.crt
SSLCertificateKeyFile /home/certifs/site2.key
SSLCertificateChainFile /home/certifs/site2.pem
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/site2/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/site2/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
FInaly, if I choose to go anyway to the website it is arriving to a sign in gitlab page like:
site2.com/users/sign_in
For information server works with apache2 and debian, and we have gitlab install.
Thank you in advance for your help.
The problem was that in apache2, I was creating well the conf file into the site-available folder. But I was never adding it to site-enabling folder.
Executing the command "a2ensite site2.conf" Fix this problem.
To check if you a enable well your site, I advice you to execute this command: apachectl -S. Please check this subject to because it may change depending your server config: How to debug an apache virtual host configuration?
I have a webserver on my raspberry pi, my url I bought on strato.de and my dyndns is on noip.com. The redirecting from my url to the raspberry pi is fine and works. Now I wanted to use automatically redirection from http-request to https. Therefore I installed letsencrypt and create a ssl certificate file. Also I enabled ssl on strato.de for my url. I tested it with https://www.myurl.de/ and it works but if I use http://www.myurl.de I get this error:
Network Error (tcp_error)
A communication error occurred: "Connection refused"
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
Transaction ID: b5151b4415351db8-000000008e3c905d-000000005c177c1e
For assistance, contact your network support team.
Your request was categorized by Blue Coat Web Filter as 'Dynamic DNS Host'.
If you wish to question or dispute this result, please click here.
It sounds to me as something in the config-files are wrong. Therefore is here my code of the 000-default.conf and default-ssl.conf file.
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</IfModule>
</VirtualHost>
default-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/<noip-dyndns-name>.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<noip-dyndns-name>.com/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Does someone see my mistake I made?
My question is about SSL installation. I purchased a new SSL for a website that's hosted on a Ubuntu 16.04 box with Apache 2.4.29. I was able to get this installed and I'm not getting any errors but my page is not redirecting. I've followed some guides (DigitalOcean) but feel as I'm missing something.
I have checked the sites-available files (000-default.conf, default-ssl.conf & example.com.conf) and I'm not seeing anything that's catching my eye, but I feel I migtht be missing something. I've checked the status of Apache and I'm not getting any errors and I've restarted the services several times to no avail.
Here's a general breakdown of what I have. Am I missing something? Is additional information required for setting this up?
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
Redirect "/" "https://example.com/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
SSLCertificateFile /root/example.com.crt
SSLCertificateKeyFile /root/www.example.com.key
SSLCACertificateFile /root/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>4
mydomain.com.conf
<VirtualHost *:443>
ServerAdmin admin#somedomain.com
ServerName mydomain.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/html
Redirect permanent / https://example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Here is my attempt at a combined configuration. Note that I do not have your setup to test it, but I have used similar configurations on production servers.
First define your port 80 VirtualHost (000-default.conf in your setup):
Listen 80
<VirtualHost *:80>
Redirect "/" "https://example.com/"
LogLevel debug
ErrorLog "${APACHE_LOG_DIR}/80_error.log"
CustomLog "${APACHE_LOG_DIR}/80_access.log" combined
</VirtualHost>
No need for a DocumentRoot since you redirect everything.
Then comment out default-ssl.conf. This file is an example of what you could do to setup an SSL enabled VirtualHost. If you use that file AND another VirtualHost on port 443, this one will always be used, since Apache uses the first VirtualHost it finds that matches the client's request (here port 443).
Another point, VirtualHost are not "added" to one another. Each is independent of the others and must contain a complete configuration. This means you cannot put some configuration in on VirtualHost on port 443, and some in another and expect it to work.
Then create your example.com.conf file:
Listen 443
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin#example.com
SSLCertificateFile "/root/example.com.crt"
SSLCertificateKeyFile "/root/example.com.key"
SSLCACertificateFile "/root/intermediate.crt"
LogLevel debug
ErrorLog "logs/443_error_log"
CustomLog "logs/443_access_log" combined
DocumentRoot "/var/www/example.com/html"
DirectoryIndex index.html
<Directory "/var/www/example.com/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Some notes:
I put the LogLevel at debug, so you can troubleshoot, but once it is working, change it to error. Otherwise you will have huge log files quickly!
For the same reason, I split the logs for port 80 and port 443. Each VirtualHost should have its own logs.
The certificate files must match the domain name. Not the filename (although it makes it easier to match), but the certificate itself.
If you want your certificate to cover example.com and www.example.com, both names must be added to the alternate names in the certificate.
I do not understand why you have Redirect permanent / https://example.com in your configuration. You are already in the https, port 443 VirtualHost.
The options based on <FilesMatch> directives in the default ssl configuration can be added if you want.
This setup will ensure that all http requests will be redirected to https://example.com. Then it will use the :443 VirtualHost, use the proper certificate for that domain and serve the content from the DocumentRoot directory.
Apache/2.2.15, CentOS Linux.
I have a site where I want the whole site to be SSL-encrypted all the time. Normally, I don't use mod_rewrite to do my www/non-www redirects; I just use VirtualHosts and the Redirect directive.
Trying to do this with my HTTPS site, however, is returning a generic SSL connection error in all browsers. Here's my vhost file (domain names and IP addresses changed):
NameVirtualHost 192.168.0.256:80
NameVirtualHost 192.168.0.256:443
<VirtualHost 192.168.0.256:80>
ServerName www.example.com
ServerAlias example.com
Redirect / https://www.example.com/
</VirtualHost>
# ############################
# This block breaks everything
# ############################
<VirtualHost 192.168.0.256:443>
ServerName example.com:443
Redirect / https://www.example.com/
</VirtualHost>
<VirtualHost 192.168.0.256:443>
DocumentRoot /var/www/example_site/htdocs/
ServerName www.example.com:443
ErrorLog /var/www/logs/example_site/error_log
SSLEngine On
SSLCertificateFile /etc/httpd/ssl.crt/www.example.com.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/www.example.com.key
SSLCACertificateFile /etc/httpd/ssl.crt/www.example.com.ca-bundle
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Directory /var/www/example_site/htdocs/>
Options FollowSymLinks MultiViews
AllowOverride All
</Directory>
<Files ~ "\.php$">
SSLOptions +StdEnvVars
</Files>
</VirtualHost>
The block marked "This block breaks everything" appears to be the culprit. When that VirtualHost block is commented out, the site loads as expected and everything's fine. But I really want/need to redirect non-www to www, and when that block is enabled, I get this on every attempt to load the site:
Error logs don't seem to show anything useful. Can anyone tell from this what exactly is going wrong?
Port 443 always needs a certificate attached to it. Even if its just a simple redirect. Connect -> SSL -> Data transfer.