403 errors for images only on newly added ServerAlias - apache

I have had two webservers running on the same machine with addresses like the following:
internal.myservername.com
and
test.myservername.com
The test site is (on some pages) pulling images from the internal site, and works flawlessly. Now that we are out of testing, I wanted to add/change the test domain to be the main site, so I added the apache server alias of myservername.com to the test site, but although all pages work, any images from internal will not show up on that address, resulting in a 403 error:
[access_compat:error] AH01797: client denied by server configuration
I have also tried setting up myservername.com as its own domain, and also tried making it the primary name on the test site (with test being an alias). In all cases, test.myservername.com continues to work fine and display images correctly, whereas myservername.com will not (resulting in all the 403 errors for these embedded images).
I have checked all configs and find nothing amiss. And there is nothing in my .htaccess files or conf files that is specific to "test". I am stumped.
I should probably also mention that I am running on a Mac OS Sierra server. (Server version: Apache/2.4.23 (Unix))
UPDATE WITH REQUESTED DETAIL:
img tags: there is nothing special in the image tags, they are called using the full url, ie
<img src="http://internal.myservername.com/images/imagename.jpg" />
I should also add that if I take the exact src url and paste it alone into a browser, the image WILL load. It is only embedded in the page that it will refuse to load. (and only on the main domain, test works fine embedded in img tag)
And the setup of test/main conf is:
<VirtualHost 127.0.0.1:34580>
ServerName http://test.myservername.com:80
ServerAdmin admin#example.com
DocumentRoot "/Library/Server/Web/Data/Sites/myservername.com/plugins/mywebsite"
DirectoryIndex index.php home.php index.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log
<IfModule mod_ssl.c>
SSLEngine Off
SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLProxyEngine Off
SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
</IfModule>
<IfModule mod_secure_transport.c>
MSTEngine Off
MSTCipherSuite HIGH, MEDIUM
MSTProtocolRange TLSv1.2 TLSv1.2
MSTProxyEngine On
MSTProxyProtocolRange TLSv1.2 TLSv1.2
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/myservername.com/plugins/mywebsite">
Options All -Indexes +ExecCGI +Includes +MultiViews
AllowOverride All
<IfModule mod_dav.c>
DAV Off
</IfModule>
<IfDefine !WEBSERVICE_ON>
Require all denied
ErrorDocument 403 /customerror/websitesoff403.html
</IfDefine>
</Directory>
ServerAlias myservername.com
And the conf for internal:
<VirtualHost 127.0.0.1:34580>
ServerName http://internal.myservername.com:80
ServerAdmin admin#example.com
DocumentRoot "/Library/Server/Web/Data/Sites/myservername.com"
DirectoryIndex index.php
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log
<IfModule mod_ssl.c>
SSLEngine Off
SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLProxyEngine Off
SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
</IfModule>
<IfModule mod_secure_transport.c>
MSTEngine Off
MSTCipherSuite HIGH, MEDIUM
MSTProtocolRange TLSv1.2 TLSv1.2
MSTProxyEngine On
MSTProxyProtocolRange TLSv1.2 TLSv1.2
</IfModule>
<IfModule mod_headers.c>
<filesmatch "^.*www.*\.jpg$">
Header set Cache-Control "max-age=2678400, public"
</filesmatch>
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/myservername.com">
Options All -Indexes +ExecCGI +Includes +MultiViews
AllowOverride All
Require all granted
<IfModule mod_dav.c>
DAV Off
</IfModule>
<IfDefine !WEBSERVICE_ON>
Require all denied
ErrorDocument 403 /customerror/websitesoff403.html
</IfDefine>
</Directory>
</VirtualHost>

UGH, I just figured out what was causing this, and here are the steps I took to figure it out:
Because my error was happening in mod_access_compat, I turned off that module to see if anything changed
This resulted in a much more clear error_log message that pointed to a problem with an .htaccess file inside my images folder on the internal site (that was setup by someone else and that I had no idea existed until the error showed it to me)
That .htaccess file contained directives that allowed my test site to pull images, but not the new domain, so once I added it to the file, all was fixed.
For those that want to know what the directives there were:
SetEnvIfNoCase Referer "^http://test.myservername.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://test.myservername.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://internal.myservername.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://internal.myservername.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>
And by adding the following two lines, it now works:
SetEnvIfNoCase Referer "^http://myservername.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://myservername.com$" locally_linked=1

Related

Host header Injection/ Host Header Url redirection in Apache2.4

I configured Apache2 server and disabled the default config file (000-default.conf) and created and enabled my own config file.
Following is the content of my conf file:
<VirtualHost *:443>
ServerName xyz.somedomain.com
SSLUseStapling on
DocumentRoot /var/www/html/
ErrorLog /var/www/logs/error.log
CustomLog /var/www/logs/access.log combined
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/cert/some.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/somekey.pem
SSLProtocol All -SSLv2 -SSLv3
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
</IfModule>
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy "same-origin"
Header unset X-Forwarded-Host
</VirtualHost>
The application is running fine. But if we change the host header and send request to my server (let's say if we change host header to bing.com), then also my server is responding to that request and redirecting to bing.com.
I read that I need to configure a catch all block, but I tried different methods, some of them breaks my website and some doesn't work. I have disabled .htaccess also.
Please let me know how should I proceed.
I tried adding catchall block mentioned as below, but this doesn't work:
<VirtualHost *:443>
ServerName catchall
<Location />
Order allow,deny
Deny from all
</Location>
</VirtualHost
I also tried rewrite rules as in my conf file in sites-available directory:
RewriteEngine on
RewriteCond %{SERVER_NAME} !xyz.somedomain.com
RewriteRule ^.(.*) - [L,F]
<If "%{HTTP_HOST} != 'xyz.somedomain.com'">
Deny from all
</If>
Ref link: https://www.middlewarebox.com/2020/07/http-host-header-injection-apache-24.html
None of them is working. Apache version is 2.4.41
In levels without StrictHostCheck where you're having trouble with virtual host (or other) methods, you could try:
RequestHeader set Host xyz.somedomain.com early
This should cause the server to act as if the client uses xyz.somedomain.com, even if they didn't.

VPS Nginx/ Apache | multi website doesn't work

I've moved 2 domains on the VPS and they work fine, just one at a time.
If I disable one, then the other one works - not both.
dom1.com , dom2.com
have the same DNS records, except the A records with their domain-name pointing to the same IP on the VPS, their DNS records are both on CloudFlare, and they're both configured the same way on the VPS (with aaPanel).
The only difference is their site directory.
Do you know what could trigger this issue?
CentOS 8
aaPanel 6.8.21
Apache 2.4 (same issue on Nginx 1.19)
DNS manager: CloudFlare
Many Thanks
dom1.com | config
DocumentRoot "/www/wwwroot/dom1.com"
ServerName 745e5c8e.dom1.com
ServerAlias dom1.com mail.dom1.com
#errorDocument 404 /404.html
ErrorLog "/www/wwwlogs/dom1.com-error_log"
CustomLog "/www/wwwlogs/dom1.com-access_log" combined
#HTTP_TO_HTTPS_START
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}$1 [L,R=301]
</IfModule>
#HTTP_TO_HTTPS_END
#referenced redirect rule, if commented, the configured redirect rule will be invalid
IncludeOptional /www/server/panel/vhost/apache/redirect/dom1.com/*.conf
#DENY FILES
<Files ~ (\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)$>
Order allow,deny
Deny from all
</Files>
#PHP
<FilesMatch \.php$>
SetHandler "proxy:unix:/tmp/php-cgi-73.sock|fcgi://localhost"
</FilesMatch>
#PATH
<Directory "/www/wwwroot/dom1.com">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Require all granted
DirectoryIndex index.php index.html index.htm default.php default.html default.htm
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster#example.com
DocumentRoot "/www/wwwroot/dom1.com/"
ServerName SSL.dom1.com
ServerAlias dom1.com mail.dom1.com
#errorDocument 404 /404.html
ErrorLog "/www/wwwlogs/dom1.com-error_log"
CustomLog "/www/wwwlogs/dom1.com-access_log" combined
#SSL
SSLEngine On
SSLCertificateFile /www/server/panel/vhost/cert/dom1.com/fullchain.pem
SSLCertificateKeyFile /www/server/panel/vhost/cert/dom1.com/privkey.pem
SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
#PHP
<FilesMatch \.php$>
SetHandler "proxy:unix:/tmp/php-cgi-73.sock|fcgi://localhost"
</FilesMatch>
#DENY FILES
<Files ~ (\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)$>
Order allow,deny
Deny from all
</Files>
#PATH
<Directory "/www/wwwroot/dom1.com/">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Require all granted
DirectoryIndex index.php index.html index.htm default.php default.html default.htm
</Directory>
</VirtualHost>
dom2.com | config
ServerAdmin webmaster#example.com
DocumentRoot "/www/wwwroot/dom2.com"
ServerName 218ac146.dom2.com
ServerAlias dom2.com mail.dom2.com
#errorDocument 404 /404.html
ErrorLog "/www/wwwlogs/dom2.com-error_log"
CustomLog "/www/wwwlogs/dom2.com-access_log" combined
#DENY FILES
<Files ~ (\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)$>
Order allow,deny
Deny from all
</Files>
#PHP
<FilesMatch \.php$>
SetHandler "proxy:unix:/tmp/php-cgi-73.sock|fcgi://localhost"
</FilesMatch>
#PATH
<Directory "/www/wwwroot/dom2.com">
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
Require all granted
DirectoryIndex index.php index.html index.htm default.php default.html default.htm
</Directory>
</VirtualHost>
I found the problem.
aaPanel added a wrong sub-domain in their config file.
So fixing that resolved the issue.

Apache reverse proxy - URL without / is refused

I use reverse proxy to show backend server content for a subdomain.
The subdomain.mydomain.com (server A) should display content of server with IP 123.123.123.123 port 1111 (server B).
Virtual host of subdomain.mydomain.com (server A):
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subdomain.mydomain.com
SSLEngine on
SecAuditEngine On
RewriteEngine On
SSLProxyEngine on
ProxyPreserveHost On
LogLevel warn
<Directory />
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Location />
ProxyPass https://123.123.123.123:1111
ProxyPassReverse https://123.123.123.123:1111
</Location>
ErrorLog /var/log/apache2/error.log
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCertificateFile /etc/apache2/cert.site/chain_wildcard_site_combined.crt
SSLCertificateKeyFile /etc/apache2/cert.site/key_wildcard_site.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
Virtual host of 123.123.123.123:1111 (server B):
<IfModule mod_ssl.c>
<VirtualHost 123.123.123.123:1111>
DocumentRoot /srv/www/site/htdocs
SSLEngine on
RewriteEngine On
SSLProxyEngine on
ProxyPreserveHost On
LogLevel warn
<Location "/">
Require ip 222.222.222.222
</Location>
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /srv/www/site/htdocs>
Options -Indexes +FollowSymLinks +MultiViews
DirectoryIndex index.php
AllowOverride None
Require all granted
</Directory>
ErrorLog /srv/www/site/log/error.log
CustomLog /srv/www/site/log/access.log combined
CustomLog /srv/www/site/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCertificateFile /etc/apache2/cert.site/chain_wildcard_site_combined.crt
SSLCertificateKeyFile /etc/apache2/cert.site/key_wildcard_site.key
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
If I load URL:
https://subdomain.mydomain.com/dir/
it loads successfully.
If I load URL (without trailing slash):
https://subdomain.mydomain.com/dir
it results error page: ERR_CONNECTION_REFUSED.
EDIT1:
I execute command:
curl -IL https://subdomain.mydomain.com/dir
and I get this result:
HTTP/1.1 301 Moved Permanently
Date: Mon, 23 Aug 2021 13:45:13 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains
Strict-Transport-Security: max-age=15768000; includeSubDomains
Location: https://subdomain.mydomain.com:1111/dir/
Content-Type: text/html; charset=iso-8859-1
curl: (7) Failed to connect to subdomain.mydomain.com port 1111: Connection refused
EDIT2:
I added trailing slash
<Location />
ProxyPass https://123.123.123.123:1111/
ProxyPassReverse https://123.123.123.123:1111/
</Location>
But I still get the Connection refused error.
Any idea why is it resulting error, when trailing slash is missing?
Thanks!
Since you used ProxyPreserveHost ON, your ProxyPassReverse should be ProxyPassReverse https://subdomain.mydomain.com:1111/ because this is the Location: header your backend is producing that you need the frontend to fixup.
The backend unfortunately sees no port in the Host: header and picks the port of the local connection. It is a problem that only happens when the default port is used on the frontend + ProxyPreserveHost. ServerName with an explicit port :443 might help on the backend.
You cannot use port 1111 for SSL - it MUST be 443 (modern certificates and CORS do not work or accept different ports)

apache stdenvvars doesn't work inside location

I'm developing a x509 authentication with apache and symfony2. My symfony aplication has also authentication with login/password on '/login' path, and I would like to configure a location in '/login_x509'.
This is my apache configuration.
<VirtualHost *:443>
ServerName extranet
DocumentRoot /var/www/symfony2/extranet/web
DirectoryIndex app.php
Timeout 600
KeepAliveTimeout 67
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/extranet.crt
SSLCertificateKeyFile /etc/apache2/ssl/extranet.key
<Location /login_x509>
SSLOptions +StdEnvVars
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
</Location>
<Directory /var/www/symfony2/extranet/web>
# enable the .htaccess rewrites
AllowOverride All
Order allow,deny
Allow from All
LimitRequestBody 1024000
</Directory>
ErrorLog /var/log/apache2/extranet_error.log
CustomLog /var/log/apache2/extranet_access.log combined
</VirtualHost>
If I comment the lines it Works perfectly. I get the SSL_CLIENT_S_DN variables on the application. But with the Location I don't get this variables.
I try to put the line "RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e" inside location but it doesn't work.
Thanks in advance.
The solution was to use LocationMatch instead of Location.
I need to read more about apache.
Thanks!

HTTPS page visible, but 404 in Firebug (and google)

We recently added HTTPS for this Magento shop:
https://www.weddingdeco.nl/
For some reason, we get a 404 not found in Firebug / WebInspector NET pane for the home page.
A simple test page does not return a 404 :
https://www.weddingdeco.nl/test.php
Page seems to be working perfectly, also checked all css / js request, all 200 OK response.
Google insights also reports the 404 error
https://developers.google.com/speed/pagespeed/insights/?url=https%3A%2F%2Fwww.weddingdeco.nl%2F
Could this be something in the server configuration? Any ideas greatly appriciated
Apache config :
<VirtualHost 178.18.91.65:443 >
SSLEngine on
SSLCertificateFile /usr/local/directadmin/data/users/wedding/dom ains/weddingdeco.nl.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/wedding/ domains/weddingdeco.nl.key
SSLCACertificateFile /usr/local/directadmin/data/users/wedding/d omains/weddingdeco.nl.cacert
ServerName www.weddingdeco.nl
ServerAlias www.weddingdeco.nl weddingdeco.nl partydeco.nl www. partydeco.nl
ServerAdmin webmaster#weddingdeco.nl
DocumentRoot /home/wedding/domains/weddingdeco.nl/private_html
ScriptAlias /cgi-bin/ /home/wedding/domains/weddingdeco.nl/publi c_html/cgi-bin/
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup wedding wedding
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid wedding wedding
RGroups apache access
</IfModule>
CustomLog /var/log/httpd/domains/weddingdeco.nl.bytes bytes
CustomLog /var/log/httpd/domains/weddingdeco.nl.log combined
ErrorLog /var/log/httpd/domains/weddingdeco.nl.error.log
<Directory /home/wedding/domains/weddingdeco.nl/private_html>
php_admin_flag safe_mode OFF
php_admin_flag engine ON
php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f weddi ng#weddingdeco.nl'
</Directory>