apache stdenvvars doesn't work inside location - apache

I'm developing a x509 authentication with apache and symfony2. My symfony aplication has also authentication with login/password on '/login' path, and I would like to configure a location in '/login_x509'.
This is my apache configuration.
<VirtualHost *:443>
ServerName extranet
DocumentRoot /var/www/symfony2/extranet/web
DirectoryIndex app.php
Timeout 600
KeepAliveTimeout 67
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/extranet.crt
SSLCertificateKeyFile /etc/apache2/ssl/extranet.key
<Location /login_x509>
SSLOptions +StdEnvVars
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
</Location>
<Directory /var/www/symfony2/extranet/web>
# enable the .htaccess rewrites
AllowOverride All
Order allow,deny
Allow from All
LimitRequestBody 1024000
</Directory>
ErrorLog /var/log/apache2/extranet_error.log
CustomLog /var/log/apache2/extranet_access.log combined
</VirtualHost>
If I comment the lines it Works perfectly. I get the SSL_CLIENT_S_DN variables on the application. But with the Location I don't get this variables.
I try to put the line "RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e" inside location but it doesn't work.
Thanks in advance.

The solution was to use LocationMatch instead of Location.
I need to read more about apache.
Thanks!

Related

How apache2 can deny connections to a domain which is not hosted

I am hosting website iplocation.io on a cloud server. I found a domain https://chrissloey.com/index.php which opens my website within it.
Now from what I understand, chrissloey.com has pointed it A record to my server ip and my apache2 server is not denying connection to it and allow's to open iplocation.io website content like its own.
I want apache2 to deny connections to any other domain and only allow my own domain to server content.
Attached is apache conf file for iplocation.io
<VirtualHost *:80>
ServerAdmin email#email.com
DocumentRoot /var/www/public_html
ServerName iplocation.io
ServerAlias www.iplocation.io
ErrorLog ${APACHE_LOG_DIR}/apache-error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/public_html>
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName iplocation.io
ServerAdmin email#email.com
DocumentRoot /var/www/public_html
SSLEngine on
SSLCertificateFile /path-to-csr
SSLCertificateKeyFile /path-to-key
SSLCertificateChainFile /path-to-ca
<Directory /var/www/public_html>
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
</IfModule
Looking at the two comments I think the combination makes most sense:
Configure httpd to respond with redirect (301) to all incoming requests. This could be done on the 'root' host.
Configure a virtualhost listening to your domain only, and this one would serve your real content only.
This will work unless the other site requests your content and then integrates it into their responses. But as you said someone else simply put up a DNS A record.

apache virtualhost with ssl not working on subdirectories

I have an issue with my virtual host SSL configuration.
My site works on the basic domain www.my_domain.com for both HTTP and HTTPS but doesn't work on all the subdirectories.
Example:
http://www.my_domain.com - works
https://www.my_domain.com - works
http://www.my_domain.com/secondary - works
https://www.my_domain.com/secondary - doesn't work
My virtual host setup is as follows:
<VirtualHost *:80>
ServerAdmin my_domain#gmail.com
DocumentRoot /var/www/html/
ServerName www.my_domain.com
ServerAlias my_domain.com
ErrorLog /var/www/html/error.log
Alias /secondary /var/www/html/secondary/
<Directory /var/www/html/secondary/>
Options FollowSymLinks MultiViews
allow from all
order allow,deny
AllowOverride All
</Directory>
</VirtualHost>
My ssl.conf setup is as follows:
<VirtualHost _default_:443>
ServerName www.my_domain.com:443
...
SSLEngine on
SLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
The error is: The requested URL /secondary was not found on this server.
Since it solved the OP`s problem, here is my comment as an answer.
Your SSL VirtualHost does not define a DocumentRoot, so it does not know where to look for /secondary. /secondary is only defined in your HTTP (port 80) VirtualHost. You have to put all the configuration in both if you want both to return the same content.

Different site at HTTP vs HTTPS

I am taking over a multi-site Apache server, with two websites (A and B). Going to website A's url via http works fine. Going to the same url, but using https, shows website B. Why is this, and how do I make https://urlA.com go to website A?
I solved the problem.
The servers were set up with VirtualHosts, but there was no VirtualHost for port 443. So it looked something like this:
<VirtualHost 99.9.9.999:80>
DocumentRoot /var/www/example
ServerName example.com
<Directory "/var/www/example">
Options Indexes
AllowOverride None
DirectoryIndex index.php index.html
Order allow,deny
Allow from all
</Directory>
Adding a VirtualHost listening on port 443, with the SSLCertFiles specified fixed the problem.
<VirtualHost 99.9.9.999:443>
DocumentRoot /var/www/example
ServerName example.com
<Directory "/var/www/example">
Options Indexes
AllowOverride None
DirectoryIndex index.php index.html
Order allow,deny
Allow from all
</Directory>
SSLCertificateFile /etc/httpd/conf/example.crt
SSLCertificateKeyFile /etc/httpd/conf/_.example.key
SSLCertificateChainFile /etc/httpd/conf/gd_example.crt
SSLEngine on
</VirtualHost>

ProxyPassMatch rule for Symfony 2.4

I am running Apache using mod_proxy_fcgi and PHP-FPM and am trying to get it to work Symfony. This is my first project using Symfony and am just getting a feel for it at the moment..
My vhost definition currently looks like:
<VirtualHost *:80>
ServerName symfony.dev
Documentroot "/vagrant/symfony/web"
DirectoryIndex app.php
ProxyTimeout 600
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:5090/vagrant/symfony/web/$1
<Directory "/vagrant/symfony/web">
AllowOverride All
Allow from All
</Directory>
</VirtualHost>
When I go to http://symfony.dev/app_dev.php/, the page loads, but all the links/paths include the full filesystem page. For example, the link for "Run the demo" is http://symblog.dev/vagrant/symfony/web/app_dev.php/demo/.
Is there a different ProxyPassMatch rule that would work, or a Symfony config that can compensate?
I tried ^/(.*\.php)(/.*)?$ which gets app_dev.php/ to load, but then app_dev.php/demo/ seems to load app_dev.php and not the demo, with broken paths to inline resources.
I had the same problems with ProxyPassMatch, but with and SetHandler everything works fine.
<VirtualHost *:80>
ServerName project.dev
ServerAlias www.project.dev
<FilesMatch \.php$>
SetHandler proxy:fcgi://127.0.0.1:9000
</FilesMatch>
#ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/project/web/$1
## Vhost docroot
DocumentRoot "/var/www/project/web"
## Directories, there should at least be a declaration for /var/www/awesome
<Directory "/var/www/project/web">
AllowOverride All
Order allow,deny
Allow from All
</Directory>
## Load additional static includes
## Logging
ErrorLog "/var/www/project/app/logs/apache2/error.log"
ServerSignature Off
CustomLog "/var/www/project/app/logs/apache2/access.log" combined
## SetEnv/SetEnvIf for environment variables
SetEnv APP_ENV dev
## Custom fragment
</VirtualHost>

hosting multiple SSL certs on apache

I hope someone can give me a hand with this. I have 2 IPs that I can use to do this and need to host 2 different secure (SSL) domains on the same Apache server. I've read that as of Apache 2.2.something that a single IP can be used, using some sort of add-in but I want to keep this as simple as possible and am willing to use both IPs to accomplish this task. I already have the 2 signed certificates for the domains.
This setup that I am posting here, works, but the issue I am having is that when I go to domain2.net, I receive a browser warning telling me that the cert does not match the domain but matches domain1.com
I'm using CentOS 5 and Apache 2.2.3. CentOS has a ssl.conf file and these lines are what I believe are giving me trouble:
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
I was under the impression that I could override these values in the virtual host containers and reference the keys that I need but it doesn't appear that way. When I comment these two lines out in the ssl.conf file, Apache won't restart. The ssl_log hints: SSLCertificateKeyFile
These are my virtual containers:
<VirtualHost 2.2.2.2:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain2.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.net.key
DocumentRoot "/var/www/domain2"
ServerName domain2.net
ServerAlias domain2.net
DirectoryIndex "index.php"
<Directory /var/www/html/domain2>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost 1.1.1.1:444>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
DocumentRoot "/var/www/html"
ServerName domain1.com
ServerAlias domain1.com
DirectoryIndex "index.php"
<Directory /var/www/html>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
How can I get these two domains to work using SSL? I've also tried to use the same port for the different IPs but again, Apache won't restart.
I'm truly lost on this so if someone could lend a hand, I'd really appreciate it.
Great question!
I was able to get two SSL certificates working on the same server. You should be able to do what you are trying to do.
The things in your configuration that stand out as odd to me:
I'd suggest using port 443 for both SSL-protected sites. You should have a specific instruction in apache's conf files somewhere for listening on port 443. For me it is located in /etc/apache2/ports.conf
Listen 443
.
It seems odd that you have ServerName and ServerAlias both using the same domain per virtual host. Try making the ServerAlias different or leaving it out:
ServerName domain1.com
ServerAlias www.domain1.com
.
I am assuming that you replaced your IPs and domains in your posted conf. Even if they are not the actual IPs you are using, you might want to double check that they can get you to the right place outside of SSL (since obviously SSL is not working).
.
Check the apache2 error log for more information. For me the log is located at: /var/log/apache2/error.log . You can set it with:
ErrorLog /var/log/apache2/error.log
And finally, for your reference here is my ssl-default (ssl.conf). I replaced my domains and IPs with the ones you used in your example conf. I have multiple subdomains working with NameVirtualHost since I have a wildcard cert:
<IfModule mod_ssl.c>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
# 1.1.1.1 = domain1.com
<VirtualHost 1.1.1.1:443>
ServerName www.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/www.domain1.com/web
DirectoryIndex index.php index.html
</VirtualHost>
<VirtualHost 1.1.1.1:443>
ServerName secure.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/secure.domain1.com/
DirectoryIndex index.php index.html
</VirtualHost>
# 2.2.2.2 = *.domain2.com
<VirtualHost 2.2.2.2:443>
ServerName admin.domain2.com
ServerAdmin admin#domain2.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain2.key
SSLCertificateFile /var/www/ssl/domain2.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ErrorLog /var/log/apache2/error.log
DocumentRoot /var/www/domain2/secure.domain2.com/web
DirectoryIndex index.php index.html
php_flag display_errors on
php_value error_reporting 7
</VirtualHost>
</IfModule>
I hope this helps!!
You don't need a separate ssl.config file, but if you want to use one, then put your SSL <VirtualHost XXX:443> containers in your ssl.conf file rather than in your httpd,conf file.
The other option which we use on our site is to put the settings from the ssl.conf file in our httpd.conf file and rename the ssl.conf file to something like ssl.conf.bak (to keep it for reference).
It might help to put this Apache command before the first Virtual Host:
SSLStrictSNIVHostCheck on
This enabled me to have several different domains each with its own keys running on the same IP without getting confused.