SetHandler seems to be ignored - apache

Installing shibboleth on apache 2 on Ubuntu 14.04LTS. Actual shib install seems to go fine, so configure the site .conf file to use shibboleth.
When I access https://lib.msu.edu/secure, it is handled by shibboleth (with an appropriate config exception at this stage), but when I access https://lib.msu.edu/Shibboleth.sso/Metadata (or anything else in Shibboleth.sso) it get redirected to php/drupal and never seen by the shibboleth system and gets a 404 error.
My best guess is that apache is not passing the request to shibboleth, but I am not sure why, nor how to debug the situation. This all worked fine on our test server and we cannot find any configuration differences that explain why.
apache .conf file follows:
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName lib.msu.edu
ServerAlias library.msu.edu
ServerAlias [...]
DocumentRoot [MyValidRoot]
<Directory [MyValidRoot]>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /secure>
AuthType shibboleth
ShibRequireSession On
Require valid-user
</Location>
SSLEngine on
SSLCertificateFile [validcertpath]
SSLCertificateKeyFile [validkeypath]
SSLCertificateChainFile [validIntermediateCertpath]
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite [cipherString]
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Redirect /cgi-bin/ [CGIserver]/cgi-bin/
# Redirect all requests to lib.msu.edu (except wwwm, for testing mirror)
<If "! req('Host') in { 'lib.msu.edu', 'wwwm.lib.msu.edu' }">
Redirect / https://lib.msu.edu/
</If>
RewriteEngine On
# force trailing slash
RewriteCond %{REQUEST_METHOD} !=post [NC]
RewriteRule ^(.*(?:^|/)[^/\.]+)$ $1/ [L,R=301]
# redirect .js and .css 404s to tomcat
RewriteCond %{REQUEST_URI} \.(css|js)$
RewriteCond /var/www/mainweb%{REQUEST_URI} !-f
RewriteRule ^/(.*)$ https://tomcat.lib.msu.edu/$1 [L]
</VirtualHost>
Thank you for any help you can give! We have already spent hours banging our heads on this shibboleth install.

Related

Apache always loads the same vhost

I have the following vhosts. However the vhosts always seem to resolve to app.home when using https, the only way to make it load cloud.home is by removing app.home from the vhosts. Whichs leads me to believe that it ignores the ServerName setting.
app.home.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName app.home
ProxyPreserveHost On
ProxyRequests off
ProxyPass /api/websocket ws://localhost:8123/api/websocket disablereuse=on keepalive=on
ProxyPassReverse /api/websocket ws://localhost:8123/api/websocket disablereuse=on
ProxyPass / http://localhost:8123/ disablereuse=on keepalive=on
ProxyPassReverse / http://localhost:8123/ disablereuse=on#`
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:8123/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:8123/$1 [P,L]
SSLCertificateFile /etc/letsencrypt/live/app.home/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/app.home/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
cloud.home.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cloud.home
DocumentRoot "/var/www/cloud"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/cloud/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/cloud.home.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/cloud.home.access.log combined
SSLCertificateFile /etc/letsencrypt/live/cloud.home/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.home/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Apache receives an encrypted connection on port 443. It then negotiates the certificate with the client's browser. But at this point, it has not read the requested domain yet. It must negotiate the certificate first to decrypt the payload.
So Apache will always use the first VirtualHost it finds that matches port 443. It gets the certificate from this one.
To fix that, you have to:
setup a second IP for your second domain. So Apache will be configured to say domain1 == IP1, domain2 == IP2.
Use a different port for the second domain, like :444. But this is not convenient since it is not the default.
Use SNI. Do some research on this, too long for an explication here.

Running symfony with directadmin

I have been trying to get symfony to run, next to a directadmin install. However, after trying several solutions, I have no clue how I can fix the httpd.conf file to get it to work. I'm only getting "Apache is functioning normally" right now.
Would anyone have an idea as to what my httpd.conf should look like?
I created the httpd.conf file by setting up a custom template for directadmin, basically working from what directadmin normally supplies by itself.
This is what the part for this subdomain looks like (IP/Domain have been hidden):
<VirtualHost IP:443 >
SSLEngine on
SSLCertificateFile /usr/local/directadmin/data/users/admin/domains/DOMAIN.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/admin/domains/DOMAIN.key
SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/DOMAIN.cacert
ServerName www.sym.DOMAIN
ServerAlias www.sym.DOMAIN sym.DOMAIN
ServerAdmin webmaster#DOMAIN
DocumentRoot /home/admin/domains/DOMAIN/private_html/sym/web
ScriptAlias /cgi-bin/ /home/admin/domains/DOMAIN/public_html/sym/cgi-bin/
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup admin admin
</IfModule>
CustomLog /var/log/httpd/domains/DOMAIN.sym.bytes bytes
CustomLog /var/log/httpd/domains/DOMAIN.sym.log combined
ErrorLog /var/log/httpd/domains/DOMAIN.sym.error.log
<FilesMatch "\.(inc|php|phtml|phps|php70)$">
AddHandler "proxy:unix:/usr/local/php70/sockets/admin.sock|fcgi://localhost" .php70
</FilesMatch>
<Directory /home/admin/domains/DOMAIN/private_html/sym/web>
AllowOverride None
Order Allow,Deny
Allow from All
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]
</IfModule>
</Directory>
</VirtualHost>
The differences in here compared to a default subdomain generated by directadmin, are the addition of /web behind the documentroot, and the complete "directory" settings.

Localhost subdomains and wildcard issues

I have setup on a xampp install a wildcard vhost on xampp in windows because I wanted to test some apps in localhost without having to add a too many lines to vhosts.conf for each and every app. I figured this would be the easiest and simplest way to do this was to add the following to my vhost.conf:
<VirtualHost *:80>
ServerAlias *.localhost
VirtualDocumentRoot "C:/xampp/htdocs/%1/"
</VirtualHost>
<VirtualHost *:443>
ServerAlias *.localhost
VirtualDocumentRoot "C:/xampp/htdocs/%1/"
SSLEngine on
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
<Directory "C:/xampp/htdocs/%1/">
AllowOverride All
Options Indexes FollowSymLinks MultiViews
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
This let's me access superawesomeapp1 at the foldername in htdocs as a subdomain of localhost. So anything in foo is at foo.localhost and bar to bar.localhost and so on.
This worked well until I had an app that wanted the following added to vhost.conf:
<VirtualHost *:80>
ServerName johnny.localhost
ServerAlias johnny.localhost
DocumentRoot "C:/xampp/htdocs/heyjohnny/web"
<Directory "C:/xampp/htdocs/heyjohnny/web">
AllowOverride None
Order Allow,Deny
Allow from All
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]
</IfModule>
</Directory>
<Directory "C:/xampp/htdocs/heyjohnny/web/bundles">
<IfModule mod_rewrite.c>
RewriteEngine Off
</IfModule>
</Directory>
</VirtualHost>`enter code here`
The vhost server alias overrides the latter, but I cannot figure out how to override the former short of commenting it out and manually mashing at the keys for every vhost I want to add which adds up after a while. I noticed it also overrode any attempt to redirect http to https. I might be running some of these things on localhost but I plan to use some of them over lan eventually. I attempted reordering the entries, putting the wildcard alias last but that didn't change anything. I'm most likely doing it wrong, but I'm open to suggestions.

Apache2 conf file with SSL causes ERR_CONNECTION_REFUSED

I am trying to configure my SSL certificate on a Ubuntu 15.10 box. I have installed the certificate files and the private key in the required directory:
SSLCertificateFile /etc/apache2/ssl-certs/pts.crt
SSLCertificateKeyFile /etc/apache2/ssl-certs/msk.key
SSLCertificateChainFile /etc/apache2/ssl-certs/intermediate.crt
When I do sudo service apache2 restart I am then prompted to Enter passphrase for SSL/TLS keys for www.mydomain.com:443 (RSA): ******** and since this process reports back with no errors, I am assuming that I have at least installed the certificates and private key correctly, otherwise I would have expected an error at this stage.
My problem is that I receive ERR_CONNECTION_REFUSED when trying to load the site.
Here is my backup copy of the VirtualHost entry for the SSL site that I am using. Are there any obvious problems with this file?
I should also add that when I use this configuration, not only does the intended site fail to load, but it also causes all other sites for this apache2 box to fail to load also. Any ideas?
`<VirtualHost *:80>
ServerName mydomain.com
ServerAlias www.mydomain.com
ServerAdmin daniel#mydomain.com
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost 172.30.30.21:443>
ServerName www.mydomain.com
ServerAlias mydomain.com
ServerAdmin me#mydomain.com
SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/apache2/ssl-certs/pts.crt
SSLCertificateKeyFile /etc/apache2/ssl-certs/msk.key
SSLCertificateChainFile /etc/apache2/ssl-certs/intermediate.crt
DocumentRoot /home/apts/Dropbox/mydomain.com/
<Directory /home/apts/Dropbox/mydomain.com/>
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
# <Location /squirrelmail>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
# </Location>
</IfModule>
</IfModule>
SSLOptions +StrictRequire
Options +FollowSymLinks -Indexes +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLVerifyClient none
SSLProxyEngine off
</VirtualHost>`

How to forward https with php POST to a different domain via DNS?

I'm in the middle of updating a domain name which is currently using HTTPS and has an API that many users are connecting to daily.
What I need to do, is basically reroute all that traffic via DNS/the new server to the new domain name.
EG
Currently users are hitting: https://olddomain.com/api and we are now using https://newdomain.com/api so I need all calls from https://olddomain.com/api to be redirect, with php POST data intact to https://newdomain.com/api
CNAME doesn't seem to redirect it with post data, and it fails the API call. The CNAME is for olddomain.com pointing to newdomain.com, with apache2 mod rewrites which should take care of the redirects, if you navigate to olddomain.com it does forward to newdomain.com but the POST data does not go with it for some reason. The new server has both the old and new domain SSL certs, so that should be valid.
This is what my 000-default looks like in /etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName newdomain.com
ServerAlias newdomain.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^olddomain.com
RewriteRule ^/(.*)$ https://newdomain.com/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^www.olddomain.com
RewriteRule ^/(.*)$ https://newdomain.com/$1 [L,R=301]
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride ALL
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride ALL
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName newdomain.com
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/newdomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/newdomain.key
SSLCertificateChainFile /etc/apache2/ssl/ssl_bundle.crt
DocumentRoot /var/www/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName olddomain.com
ServerAlias www.olddomain.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^olddomain.com
RewriteRule ^/(.*)$ https://newdomain.com/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^www.olddomain.com
RewriteRule ^/(.*)$ https://newdomain.com/$1 [L,R=301]
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/certs/olddomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/olddomain.key
SSLCertificateChainFile /etc/apache2/ssl/ssl_bundle.crt
DocumentRoot /var/www/
</VirtualHost>
Did you try to use the HTTP status 307 (Temporary redirect) instead of 301? According to the W3C's HTTP/1.1 Status Codes Definitions, this method would allow you to preserve the original HTTP method (and therefore its associated body in case of a POST) of the redirected request, although the standards also mandates that the user agent asks confirmation from the user in case of a non-GET and non-HEAD.
eg., in you Apache configuration file, try to replace lines like:
RewriteRule ^/(.*)$ https://newdomain.com/$1 [L,R=301]
by:
RewriteRule ^/(.*)$ https://newdomain.com/$1 [L,R=307]
Note that some user agents have been reported not to be conforming to the standard regarding the HTTP 307 status (eg. not asking user confirmation), while some others do not understand it at all. So I suggest to test it carefully with the browsers you target if you choose to use this method and look for fallback mechanisms if needed.