I would like to set up a subdomain on my virtual server with Debian 9 and Apache 2 which points to a directory at /var/www/html/test.
SSL and Let's Encrypt is also enabled, so the subdomain should be reached with https too.
My 000-default.conf file looks like:
<VirtualHost _default_:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost _default_:443>
DocumentRoot /var/www/html
ServerName www.example.com
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLEngine on
ServerAlias www.example.com
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
The file default-ssl.conf looks like:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
ServerName www.example.com
ServerAlias example.com
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I made a new copy of the 000-default.conf file, named it "test.example.com.conf" and enabled it by means of a2ensite. The file looks like:
<VirtualHost _default_:80>
ServerAdmin webmaster#test.example.com
DocumentRoot /var/www/html/test
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost _default_:443>
DocumentRoot /var/www/html/test
ServerName test.example.com
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
SSLEngine on
ServerAlias test.example.com
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
My hosts file includes the entry SERVER_IP_ADDRESS test.example.com.
The DNS server has an "A"-Entry with test.example.com pointing on SERVER_IP_ADDRESS.
Pinging test.example.com from another machine ends in "Host not found" and a ping on the virtual server results in an response from itself.
So why does the webbrowser only show "Server not found"?
Did I forget something? Is something in my config wrong?
After long testing and research I found the mistake!
There were 3:
The DNS A-entry took some time to complete
my .htaccess forwarding caused the URL always to be rewritten to www.example.com, no matter which subdomain was typed in
my test.example.com.conf file has a mistake in it which makes the subdomain only available via https: the ServerAlias instruction was missing inside <VirtualHost _default_:80>
So it works so far and needs some improvements...
I hope I will help someone else with my mistakes!
Related
Certbot installed two lets-encrypt SSL certificates but none working
On my AWS EC2 Ubuntu 18
Three files are as follows:
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =sub1.domain.net [OR]
RewriteCond %{SERVER_NAME} =sub2.domain.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
/etc/apache2/sites-available/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
SSLEngine on
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName sub1.domain.net
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias sub2.domain.net
SSLCertificateFile /etc/letsencrypt/live/sub1.domain.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub2.domain.net/privkey.pem
</VirtualHost>
</IfModule>
/etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
/var/log/letsencrypt/letsencrypt.log
2018-12-21 04:51:46,545:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/000-default-le-ssl.conf
2018-12-21 04:51:46,744:INFO:certbot_apache.configurator:Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
netstat -ltnp | grep ':80\|:443'
tcp6 0 0 :::443 :::* LISTEN 1529/apache2
tcp6 0 0 :::80 :::* LISTEN 1529/apache2
I tried everything but the outside world doesn't find any certificate.
I didn't put any entry into this file: /etc/apache2/apache2.conf
subdomains were taken from free DNS dynu dot com
I have Apache 2.4.18 (Ubuntu) running as a reverse proxy. To protect my personal environment, I have added a SSLVerifyClient require and so far no problems.
However, Jira wants to access itself to load some languages strings. According to the logging of Jira it's https://{DOMAIN_URL}/rest/gadgets/1.0/g/messagebundle/nl_NL/gadget.common%2Cgadget.project where gadget.common%2Cgadget.project can be different, depending on which module it wants some translation string.
Ok, fine. So to solve this solution, I thought of making this URL available to Jira and therefor skip SSLVerifyClient for only this specific URL.
My current config:
<VirtualHost *:80>
ServerName {DOMAIN}
Redirect permanent / https://{DOMAIN}
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin info#{DOMAIN}
ServerName {DOMAIN}
<Location / >
Options FollowSymLinks
AllowOverride None
</Location>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
SSLEngine on
SSLCompression Off
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile {SSL}/fullchain.pem
SSLCertificateKeyFile {SSL}/privkey.pem
SSLCACertificateFile {PATH}/ca.crt
SSLVerifyClient require
SSLStrictSNIVHostCheck on
SSLVerifyDepth 1
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://localhost/
ProxyPassReverse / http://localhost/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>
I tried to add the following two snippets after SSLVerifyDepth 1
<Directory "/rest/gadgets">
SSLVerifyClient none
</Directory>
And
<Location /rest/gadgets>
SSLVerifyClient none
</Location>
I did however check https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html (Client Authentication and Access Control), however both are not working. I'm not quite sure, but I perhaps the specified path in Location and Directory is not the right one. I wanted to make it universal and just check if the first part of the URL contains /rest/gadgets.
I hope my question is somewhat clear.
It seems like this is an answer to my question:
<VirtualHost *:80>
ServerName {DOMAIN}
Redirect permanent / https://{DOMAIN}
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin info#{DOMAIN}
ServerName {DOMAIN}
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
SSLEngine on
SSLCompression Off
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile {SSL}/fullchain.pem
SSLCertificateKeyFile {SSL}/privkey.pem
SSLCACertificateFile {PATH}/ca.crt
SSLStrictSNIVHostCheck on
<Location / >
SSLVerifyClient require
SSLVerifyDepth 1
Options FollowSymLinks
AllowOverride None
</Location>
<Location /rest/gadgets>
SSLVerifyClient none
</Location>
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://localhost/
ProxyPassReverse / http://localhost/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>
The trick was to extend the current Location and move SSLVerifyClient. Afterwards add an extra Location-directive with the excluded path, rest/gadgets in this case.
So I've been messing around with Apache, and I bought a SSL certificate. I finally got it installed, but now when I goto my domain with the URL (leethecoder.com) I assume it's trying to use HTTP? And my server, of course, with a SSL certificate is not listening on port 80. But, if I include https:// before the URL (https://leethecoder.com), it works. Is there a way I can make the server force the basic URL (leethecoder.com) goto port 443?
This is my current /sites-enabled/ configuration file.
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName www.leethecoder.com
ServerAlias www.leethecoder.com leethecoder.com
Options -Indexes
DocumentRoot /var/www/leethecoder.com/public_html/
SSLEngine on
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
IMO, this is "properly" (you're currently an A-, the below might help to get an A+):
<VirtualHost *:80>
ServerName leethecoder.com
ServerAlias *.leethecoder.com
UseCanonicalName Off
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RedirectPermanent / https://leethecoder.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.leethecoder.com
UseCanonicalName Off
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RedirectPermanent / https://leethecoder.com/
</VirtualHost>
<VirtualHost *:443>
ServerName leethecoder.com
UseCanonicalName Off
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
DocumentRoot /var/www/leethecoder.com/public_html
<Directory /var/www/leethecoder.com/public_html/>
Allow From All
</Directory>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
</VirtualHost>
This is, of course, assuming that your variables are valid, you prefer the https without the www, and that you're OK for your clients to use that cipher suite. Also, that you've enabled the site, and disabled any other conflicting sites.
Proper way to do it -- secure way -- is to use the apache virtual host redirect:
<virtualhost *:80="">
ServerName www.example.com
Redirect / https://www.example.com/
</virtualhost>
<virtualhost *:443="">
ServerName www.example.com
# ... SSL configuration goes here
</virtualhost>
Or you need to use mod_rewrite to return an HTTP_RESPONSE 301 for redirect to your HTTPS site.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
Also you need to listen port 80.
http://httpd.apache.org/docs/current/mod/mod_rewrite.html
I have setup 2 websites on my Ubuntu web server and am having some trouble with getting two SSL certificates to work correctly. I did get one working on it's own at first, however, now I can't restart Apache successfully.
Error when trying to restart Apache
* Restarting web server apache2
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 3 of /etc/apache2/sites-enabled/website1.conf:
ServerName takes one argument, The hostname and port of the server
Action 'configtest' failed.
Output of /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Output of website1.conf (first vhost file from /etc/apache2/sites-available)
<VirtualHost *:80>
ServerAdmin support#localhost
ServerName www.website1.com website1.com
DocumentRoot /var/www/html/website1.com/public
Redirect permanent /secure https://website1.com
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin support#localhost
ServerName website1.com
DocumentRoot /var/www/html/website1.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /var/www/html/website1.com/private/website1.crt
SSLCertificateKeyFile /var/www/html/website1.com/private/website1_private.key
SSLCertificateChainFile /var/www/html/website1.com/private/DigiCertCA.crt
</VirtualHost>
Output of website1.conf (second vhost file from /etc/apache2/sites-available)
<VirtualHost *:80>
ServerAdmin support#localhost
ServerAlias www.website2.com website2.com
DocumentRoot /var/www/html/website2.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin support#localhost
ServerName website2.com
DocumentRoot /var/www/html/website2.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /var/www/html/website2.com/private/website2.crt
SSLCertificateKeyFile /var/www/html/website2.com/private/website2_private.key
SSLCertificateChainFile /var/www/html/website2.com/private/DigiCertCA.crt
</VirtualHost>
Any help or verification of my config would be greatly appreciated. Thanks in advance.
I have a Server which is running Debian 8.1 with Apache 2.4.10 and OpenSSL 1.0.1k.
I have a domain example.com with a few subdomains like www.example.com, cloud.example.com and db.example.com all pointet to the Server (A-Records).
All these subdomains have their own VirtualHosts with their own SSL-Certificates. Also if you send a HTTPS-Request with another domain or with the IP you'll get a page with a self-signed certificate.
Everything was running perfect until I rebootet my server.
Now when I request example.com (without a subdomain-prefix) I get the self-signed crt. The subdomains are working perfectly fine. I have the following vHost-Configs:
(because I only want HTTPS I have a Rewrite-Rule for all HTTP-Connections)
000-default.conf
<VirtualHost *:80>
ServerAdmin admin#example.com
RewriteEngine On
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
DocumentRoot /var/www
<Directory /var/www>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/default/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/default/ca.key
</VirtualHost>
</IfModule>
www.example.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.example.com/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/ca.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/www.example.com/ca.pem
</VirtualHost>
</IfModule>
cloud.example.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName cloud.example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.example.com/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/ca.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/www.example.com/ca.pem
</VirtualHost>
</IfModule>
I really hope that somebody can help me!
The hostname was example (like the domain, but without .com) so I changed the hostname to some random typing and after a reboot everything worked fine again. When I changed my hostname back it kept working even after a reboot.
For me changing the order of VirtualHosts helped to solve the problem, by putting malfunctioning VirtualHost to the top in the conf file.