URL without trailing / gets internal port appended - apache

FireWall -> LoadBalancer -> Backend
Public IP is bound to firewall -> NAT to private IP farm on LB -> balance to backend on another private subnet.
https://example.com/test-redirect/index.php --> works fine
https://example.com/test-redirect/ --> works fine
https://example.com/test-redirect --> https://example.com:44312/test-redirect/ (Where 44312 is the internal port number apache has the SSL vhost bound to. FAILS)
Apache Config:
<VirtualHost *:80>
ServerAdmin REDACTED
ServerName example.com
ServerAlias *.example.com
DocumentRoot "/var/www/example.com"
Include conf.d/global-http-host-includes.conf
</VirtualHost>
<VirtualHost <internal-ip>:44312>
DocumentRoot "/var/www/example.com"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile REDACTED.crt
SSLCertificateKeyFile REDACTED.key
Include conf.d/global-ssl-host-includes.conf
</VirtualHost>
The client that this is for handles the redirects to HTTPS from HTTP in his application. We have said numerous times that this behaviour is extremely likely top originate from the application, and it isn't something the stack nor the Apache config is doing.
Has anyone come up against a similar scenario as this? Or might have any ideas as to what is causing the internal Apache port number to be appended to the URL with it redirects?

This turned out to be an issue with not having the ServerName and ServerAlias values wihtin the SSL vHost aswell as the non-SSL vHost. After adding the name and alias in to those, the issue was fixed.
I would say this is perhaps a bug within Apache, but also some amount of misconfiguration.

Related

One Multisite SSL on Two virtual hosts (Apache2 on Ubuntu 16.04)

I have one SSL certificate from GoDaddy (Standard UCC SSL Certificate for up to 5 sub/domains) and two virtual hosts configuration on Apache2.
I can install SSL certificate one every of them separately and they works fine until I add second one.
When the second HTTPS config is added (...), then I am getting kind of weird redirects from one.abc.com to two.abc or vice versa.
I am using the same certificate files for both configs, because it the same Multisite SSL certificate.
F.ex.:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.abc.com
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subd2.abc.com
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
What I am doing wrong?
This:
Now - I understand that because SSL wraps around the HTTP request,
there's no way to know which host is being requested until a public
key has been sent to the client first. This essentially breaks the
possibility of SSL virtual hosts using a standard SSL certificate.
from
https://serverfault.com/questions/113076/apache-ssl-virtualhosts-on-a-single-ip-using-ucc-san-certificate
Lead me to idea that problem is simple that in case of abc.com server just do not know which HTTPS server (www.abc.com or subd2.abc.com) config to take and simply take the first one. Tests that approved.
From that comes second question / conclusion - do I have configuration for domain abc.com. And it has not, I just have it defined as ServerAlias in www.abc.com config.
When I removed from ServerAlias and created configuration with for abc.com and with redirect, than all stays in their places.

Debian 8 - SSL Certificate is not working

I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.

Two Security Certificates on a Single IP with Apache's mod_gnutls

My understanding is there is a problem with having multiple certificates on a single IP as SSL is negotiated before HTTP happens, however what we can do is Service Name Indication (SNI) in TLS to get around this. According to the SNI wikipedia page both Apache 2 modules mod_ssl and mod_gnutls support this extension and also numerous web clients.
I have been trying to use mod_gnutls on centos 5. I have two separate certificates for two domains but only 1 IP. Each works independently but when I put both into the config at once only the first will work. Any https connection on domain2 shows domain1's certificate.
My config looks like this:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.domain1.com
ServerAlias www.domain1.com
DocumentRoot /var/www/html/domain1
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/www.domain1.crt
GnuTLSKeyFile /etc/pki/tls/domain1/private.key
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/domain2
ServerName www.domain2.com
ServerAlias www.domain2.com
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/domain2.crt
GnuTLSKeyFile /etc/pki/tls/domain2/private.key
</VirtualHost>
Any ideas? Really been scratching my head over this.
Many thanks

Apache: disable redirecting to default vhost on mismatching server name

I have many services running on the same machine, one of them using SSL, let's say "c3po.com".
The url for my servers are https://c3po.com, http://r2d2.com and http://jarjar.com.
The problem is, if I type https://r2d2.com apache redirects me to https://c3po.com, without even changing the url. In other words, I will be seeing c3po service, with my browser showing http://r2d2.com.
I understand that when Apache can't exactly match a vhost it uses the first one loaded that matches the ip:port, so as there is no:
<VirtualHost *:443>
ServerName r2d2.com
...
It will pick up the only vhost on :443 found, which is:
<VirtualHost *:443>
ServerName c3po.com
...
What I really want is that when the user types https://r2d2.com or https://jarjar.com an error page is shown up, because those services (with ssl enabled over http) simply doesn't exist! How can I achieve that?
Check that
NameVirtualHost *:443
is enabled in your main config. Then create a VirtualHost that listens on port 443 with your error page, and create another VirtualHost with the config for c3po.com. If any user resolves a name to the IP of your server (which they will for all sites), they will go to the default site unless they're going to c3po.
Something along the lines of the following should work:
Default:
<VirtualHost *:443>
ServerName _default_https
DocumentRoot /path/to/error/page
<Directory /path/to/error/page>
...
</Directory>
</VirtualHost>
c3po:
<VirtualHost *:443>
ServerName c3po.com
ServerAlias www.c3po.com
DocumentRoot /path/to/c3po
<Directory /path/to/c3po>
...
</Directory>
</VirtualHost>

Route two domains to same JBoss instance

I have two public websites (foo.com and bar.com) that are pointed to a hardware load balancer. This hardware forwards the traffic to my server as follows:
http://foo.com ==> port 7700
https://foo.com ==> port 7701
http://bar.com ==> port 7800
https://bar.com ==> port 7801
My server is currently an old iPlanet box that defines two virtual servers (foo.com for 7700, 7701 and bar.com for 7800, 7801). Since the load balancer forwards directly to these ports, everything works fine.
I now need to port these website to an Apache 2.2 + JBoss 6.0 configuration, and I'm currently at a loss as to what the best practice is to accomplish this.
I've already set up Apache to listen on my four ports (7700,7701,7800, 7801) and configured SSL for 7701,7801. I'm assuming it is preferred to let Apache handle the SSL handshakes and connections. I have set up 4 Virtual Host entries in Apache, as follows:
<VirtualHost *:7700>
DocumentRoot "/htdocs/foo.com"
ServerName foo.com
</VirtualHost>
<VirtualHost *:7701>
DocumentRoot "/htdocs/foo.com"
ServerName foo.com
SSLEngine on
SSLCipherSuite ALL:...
SSLCertificateFile "/cert/foo.com.crt"
SSLCertificateKeyFile "/cert/foo.com.key"
</VirtualHost>
<VirtualHost *:7800>
DocumentRoot "/htdocs/bar.com"
ServerName bar.com
</VirtualHost>
<VirtualHost *:7801>
DocumentRoot "/htdocs/bar.com"
ServerName bar.com
SSLEngine on
SSLCipherSuite ALL:...
SSLCertificateFile "/cert/bar.com.crt"
SSLCertificateKeyFile "/cert/bar.com.key"
</VirtualHost>
I've tested this with static content, and both the HTTP and HTTPS connections are working correctly.
For my JBoss configuration, I currently have my applications deployed as /foo and /bar, although I don't know if that should be the final configuration. What I want to accomplish is this:
Forward all traffic from 7700/7701 to http://localhost:8080/foo, and from 7800/7801 to http://localhost:8080/bar. I don't want to see the /foo and /bar in the public URL, though - the user should just see http://www.foo.com and http://www.bar.com.
Is there a way to configure mod_jk to forward requests to a specific URL? Or should I be looking at ways to have JBoss host foo.com on port A and bar.com on port B -- and just have mod_jk forward to each port separately?
I think mod_jk combined with URL rewriting should handle what you need. The mod_jk information on workers indicates that you should be able to use mod_jk to forward requests based on URL using the uriworkermap. It's also mentioned that you can have a separate uriworkermap for each virtual host.
I'd also like to suggest that you take a look at mod_cluster - it might have additional capabilities that would help with this.
EDIT
Argh. After your clarification (and some better digging), I think there may be a different answer. I am currently using ProxyPass/ProxyPassReverse to redirect top-level URLs to individual servlets. I've reviewed the Apache VirtualHost docs again, and I think that if you combine that with mod_proxy, you'll be able to get what you want.
Here's a proposed configuration example that builds on what I have and could meet your specifications:
Listen 7700
Listen 7701
Listen 7800
Listen 7801
<VirtualHost *:7700>
ProxyPreserveHost On
ProxyPass / http://localhost:8080/foo
ProxyPassReverse / http://localhost:8080/foo
ServerName foo.com
</VirtualHost>
<VirtualHost *:7701>
ProxyPreserveHost On
ProxyPass / http://localhost:8080/foo
ProxyPassReverse / http://localhost:8080/foo
ServerName foo.com
SSLEngine on
SSLCipherSuite ALL:...
SSLCertificateFile "/cert/foo.com.crt"
SSLCertificateKeyFile "/cert/foo.com.key"
</VirtualHost>
<VirtualHost *:7800>
ProxyPreserveHost On
ProxyPass / http://localhost:8080/foo
ProxyPassReverse / http://localhost:8080/foo
ServerName bar.com
</VirtualHost>
<VirtualHost *:7801>
ProxyPreserveHost On
ProxyPass / http://localhost:8080/foo
ProxyPassReverse / http://localhost:8080/foo
ServerName bar.com
SSLEngine on
SSLCipherSuite ALL:...
SSLCertificateFile "/cert/bar.com.crt"
SSLCertificateKeyFile "/cert/bar.com.key"
</VirtualHost>
I apologize for missing this the first time. The only thing you'll want to test is to make sure that the URLs for servlet access are correct. The pattern I have in use is http://{host}:{port}/{WARName}/{ServletPath}. If you've already tested the configuration with static content, only the proxy setup should need to be added/tuned. I'm not sure if you'll need the Listen statements or not; I think you will, as your ports are non-standard.