I'm using Apache as a reverse proxy to redirect all requests. I need to forward client cert details to my apps within the request. For testing purposes, I'm simply trying to attach CN to the forwarded request. This is my conf file (simplified):
<VirtualHost _default_:443>
ServerName localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/CA.pem
SSLCertificateKeyFile /etc/ssl/private/CA.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +ExportCertData +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}:8443/myapp?cn=%{SSL_CLIENT_S_DN_CN}
</VirtualHost>
If I navigate to https://localhost browser asks for a cert, and then I get redirected to:
https://localhost:8443/myapp?cn=
So it appears that it's not reading SSL_CLIENT_S_DN_CN. What am I missing?
EDIT: If I set request header, e.g.:
RequestHeader set XYZ %{SSL_CLIENT_S_DN_CN}e
I don't see it in dev tools, either. So there must be something wrong with my configuration. %{SERVER_NAME} works, %{SSL_CLIENT_S_DN_CN} doesn't.
Related
I would like to have ONLY https traffic. I want all of it to be driven to https://example.com and https://www.example.com.
At present this is what works and doesn't work:
https://www.example.com - ok!
http://www.example.com - shows a list of files in my webroot for some reason
https://example.com - This site can’t be reached / example.com refused to connect.
http://example.com - The example.com page isn’t working. example.com didn’t send any data.
I am using Ubuntu 14 (trusty) and here is my current enabled virtual host config:
<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerAdmin info#example.com
ServerName www.example.com:443
ServerAlias example.com:443
DocumentRoot /var/www/example.com/public_html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Any help much appreciated as going nuts!
Did you tried made permanent redirect? https://wiki.apache.org/httpd/RedirectSSL
I am trying to install a certificate for all my subdomain on GCE VM, here is what I've done so far:
Allow HTTPS traffic is enabled in the VM settings.
I enabled the certificate on apache and default-ssl.conf looks like this
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin fadi#domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyPreserveHost On
ProxyPass /console https://0.0.0.0:8080/console
ProxyPassReverse /console https://0.0.0.0:8080/console
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
But still I can not reach my server on https but am still able to access it via http, even though I enabled ssl using
sudo a2ensite default-ssl.conf
sudo service apache2 restart
Can someone help me please figure out this issue! the app is actually running on apache tomcat but proxied through apache if that make any difference!
443 is the default port used by Compute Engine for its services . Better you use any other port like 7443 or 8443 , then i guess it will work . I myself faced this issue on Compute Engine with Tomcat , and used other than the default ports . And also don't forget to mention whatever port you choose in the Firewall Rules section in the Networking . Let me know if that works !!
i have a website on my localhost, so to test the secure connection i did generate ssl certificate offline for localhost only, the thing is i used exact the same method as i did on my laptop, but it is not work for the new pc that i just setup. But it works fine on my laptop.
what could be the problem.
i did go through this too, but it not solved my problem
Setup HTTPS on wildcard subdomain on localhost
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#muster.project
ServerName muster.project
ServerAlias *.muster.project
DocumentRoot /var/www/project/muster/web
<Directory "/var/www/project/muster/web">
AllowOverride All
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
Interestingly, it is only work for the
https://muster.project
but not for https://anything.muster.project
Same method, same system both lubuntu,
i did change the ServerAlias to
www.muster.project *.muster.project it is also not works
i changed the not works either.
there are no error log either...
the only things i get was
rsa server certificate is a ca certificate (basicconstraints ca == true )
i don't think this is matter since the domain without subdomain works.
did i need to set the /etc/hosts file? even though i did! it is not work.
got some idea how to solve this? it is been few days already fixing it without success. Thanks for the helps!
Hier are the tutorial i followed
thomas-leister[dot]de/allgemein/apache-webserver-ssl-verschlusselung-einrichten/
Wildcards certificates only works for one level :
If you have a certificate for *.project it's valid for anything.project but not for anything.muster.project
Finally i found the Problem...
i set the wildcards DNS according to this sites
https://www.leaseweb.com/labs/2013/08/wildcard-dns-ubuntu-hosts-file-using-dnsmasq/
it seems it has nothing to do with the ssl (locally , it might be different for live website)..
i don't know why my laptop works even i don't set the dnsmasq...
however it is works now. maybe it will help if someone face this problem.
We have a customer that does not want anymore ssl client verification in their webapp.
We have an apache2 server in front of jboss that serves all requests for that webapp.
I have set SSLVerifyClient to none in apache config and restarted apache, and the first landing page does not request the certificate anymore, but there are some other pages inside the application that still requests the client certificate.
This hapens only in IE in other browsers it works ok.
Is there some cache in IE that stores something and neads to be celared? I have already cleaned all history data an also the SSL cache but the problem still perists.
I have to mention that all requests are made to the same cname and that cname has one virtualhost settings on the apache server.
I also have to mention that this happens only on when I try to serve some office files trugh the applicatoin
the vhost settigns are like this:
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLOptions +ExportCertData +StdEnvVars
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLVerifyClient none
SSLVerifyDepth 1
SSLCertificateFile /etc/pki/tls/certs/****_wildcard.crt
SSLCertificateKeyFile /etc/pki/tls/private/****_wildcard.key
SSLCACertificateFile /etc/pki/tls/certs/ca_cert_bundle.crt
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
AddDefaultCharset utf-8
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
#ProxyPreserveHost On
ProxyPass / http://****:8080/ retry=0 timeout=600
ProxyPassReverse / http://****:8080/
ServerName ****
secure.dynaccount.com (Thawte cert)
http://certlogik.com/sslchecker/secure.dynaccount.com/
api.dynaccount.com (self-signed)
http://certlogik.com/sslchecker/api.dynaccount.com/
httpd.conf
# Thawte certified
<VirtualHost 88.198.55.138:443>
ServerName secure.dynaccount.com
DocumentRoot /var/www/dynaccount.com
SSLEngine on
SSLCertificateKeyFile /var/ini/ssl/secure.dynaccount.com/private.key
SSLCertificateFile /var/ini/ssl/secure.dynaccount.com/public.crt
SSLCertificateChainFile /var/ini/ssl/secure.dynaccount.com/intermediate.crt
SSLVerifyDepth 1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>
# self-signed
<VirtualHost 88.198.55.154:443>
ServerName api.dynaccount.com
DocumentRoot /var/www/dynaccount.com
SSLEngine on
SSLCertificateKeyFile /var/ini/ssl/api.dynaccount.com/private.key
SSLCertificateFile /var/ini/ssl/api.dynaccount.com/public.crt
SSLVerifyDepth 0
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>
Did you read Apache HTTP docs?
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Name-based virtual hosting cannot be used with SSL secure servers
because of the nature of the SSL protocol.
You can have one SSL host per IP.
Reason?
SSL connection parameters are set per-vhosts, but must be negotiated before httpd reads host HTTP header.
That give a sense, isn't it?
UPDATE:
Change SSLCACertificateFile to SSLCertificateChainFile and provide correct format of file according to docs or disable client cert verification at all
Your problem here is that you have twice the same ServerName.
In your 2nd VHost, you should have ServerName api.dynaccount.com and no ServerAlias
I'm not sure it's the problem, but give it a try :)
edit:
For the Server could not reliably resolve server name error, you have to define a ServerName in httpd.conf (not in VirtualHost, that will be the default server name)