After installing the SSL Cert for my domain, I can no longer stay logged in to PhpMyAdmin remotely via SSH.
Before SSL:
PHP-based migrated to a fresh Bitnami LAMP Stack deployed and hosted with Google Cloud Platform.
I updated to PMA 4.6.5.1
I successfully used Putty to tunnel from http://127.0.0.1:8888/phpmyadmin to http://localhost:80/phpmyadmin on the server using local 127.0.0.1:8888 --> remote localhost:80
After SSL:
SSL installed via Comodo's generic Linux Apache directions here. (bitnami.conf changes shown below)
Web app is publicly accessible via https://EPHEMERAL_IP_ADDRESS/ (and redirect from http://EPHEMERAL_IP_ADDRESS/ to http://EPHEMERAL_IP_ADDRESS/)
Previously accessible on live server https://my.domain/ (and redirects from http://my.domain/ to https://my.domain), but I haven't swapped IPs yet so ServerName might be an issue?
I added local 127.0.0.1:8383 --> remote localhost:443 to my Putty configuration.
I can access https://127.0.0.1:8383/phpmyadmin and log in. But as soon as click anything (e.g. a database name) within PMA, I am booted out to the PMA login screen.
Changes made to /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
<VirtualHost _default_:80>
DocumentRoot "/opt/bitnami/apache2/htdocs"
RewriteEngine On #added
RewriteCond %{HTTPS} !=on #added
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] #added
<Directory "/opt/bitnami/apache2/htdocs">
...
</VirtualHost>
...
<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
ServerName mydomain.com:443 #added
ServerAdmin my#email.address #added
SSLEngine on
SSLCertificateFile "/path/to/my_domain.crt" #changed
SSLCertificateKeyFile "/path/to/myserver.key" #changed
SSLCACertificateFile "/path/tof/my_domain.ca-bundle" #added
...
</VirtualHost>
Essentially: I turned on SSL per client specification, but this has broken my PMA access. Any help is greatly appreciated!
SO's suggestion Installing SSL certificate breaks phpmyadmin with 403 error came through for the win:
While I simply accessed PMA from a different browser, the more commonly applicable solution is deleting the specific PMA cookies. (HT Isaac Bennetch)
See here for specifics on how to delete specific cookies in various browsers.
Related
For forwarding an internal website (i.e. normally not available on internet) to internet I use ProxyPass in Apache.
I have the following setup:
Backend server: An internal laptop or Raspberry PI or virtual machine running an Apache web server on macOS or Linux, accessible in my home wifi. From that machine the following reverse SSH tunnel is run.
Frontend server: A VPS rented running Ubuntu running Apache web server.
When I perform a reverse SSH tunnel to the VPS :
ssh -N -p 22 -R 1081:127.0.0.1:80 root#myVPS
I can access my internal localhost site on https://forward.example.com, just like it behaves internally.
But the glitch is that the $_SERVER["HTTP_HOST"] now returns "localhost:1081" as specified in the ssl.conf.
In PHP I get the remote IP address by $_SERVER['HTTP_X_FORWARDED_FOR'] rather than $_SERVER['REMOTE_ADDR'], so that works fine.
There is also a $_SERVER['HTTP_X_FORWARDED_HOST'] which shows 'forward.example.com'.
Some posts on the internet advised me to specify ProxyPreserveHost on, but enabling that makes things worse: I get a redirect loop.
Is there a way to let Apache force $_SERVER['HTTP_X_FORWARDED_HOST'] ('forward.example.com' in my example) into $_SERVER"HTTP_HOST"]?
Virtual host section in ssl.conf:
<VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/html/test/
ServerName forward.example.com
LogLevel Debug
ErrorLog ${APACHE_LOG_DIR}/forward-error.log
CustomLog ${APACHE_LOG_DIR}/forward.log combined
SSLCertificateFile /root/.acme.sh/forward.example.com/fullchain.cer
SSLCertificateKeyFile /root/.acme.sh/forward.example.com/forward.example.com.key
# SSLCertificateChainFile /root/.acme.sh/forward.example.com/fullchain.cer
SSLProxyEngine On
ProxyRequests Off
# This causes a redirect loop !!!
# ProxyPreserveHost on
# https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
ProxyPass / http://localhost:1081/
ProxyPassReverse / http://localhost:1081/
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://localhost:1081/$1" [P,L]
</VirtualHost>
I'm struggling tremendously with the concept of webservers. I will describe my desired solution and current situation as clear as possible.
I have an on-premise server, where Debian is running. I have installed several pieces of software on the server, including a full LAMP stack, Kibana, ThingsBoard etc. We got a public IP and recently acquired a domain, let's say apachenoob.com.
I can access my applications via a web browser at <ip>:<port> or apachenoob.com:<port>. However, I want those application to run over HTTPS, so I acquired a free SSL certificate with Certbot. Now https://apachenoob.com is working and showing the default Apache homepage.
What I want are a few things:
Instead of apachenoob.com:9090 I want users and myself to go to
thingsboard.apachenoob.com, or other URLS for other applications than ThingsBoard.
MY SOLUTION:
Add the following line to /etc/apache2/apache2.conf:
LoadModule rewrite_module modules/mod_rewrite.so
Add the following thingsboard.conf to /etc/apache2/sites-enabled/ (Debian):
<VirtualHost *:443>
ServerName thingsboard.apachenoob.com
ProxyPreserveHost On
SSLEngine on
ProxyPass / http://localhost:9090/
ProxyPassReverse / http://localhost:9090/
SSLCertificateFile /path/to/cert/file
SSLCertificateKeyFile /path/to/key
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:80>
ServerName thingsboard.apachenoob.com
Redirect / https://thingsboard.apachenoob.com/
</VirtualHost>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://thingsboard.apachenoob.com/$1 [R,L]
</IfModule>
I want to disable traffic to the IP (and optionally port number) or redirect everything to https://apachenoob.com
Less important: I developed an API using Python and Flask and got it to run over the MOD_WSGI module. But, it is also running over HTTP, where HTTPS is the goal.
For the first, I tried adding VirtualHosts, in seperate files and in the main apache2.conf, no result (as described in several posts). Someone even told me the application might have an own internal web server (HELP?!).
For the second, I tried redirecting rules (described here), both in the main config and in seperate files, no result.
For the third, I haven't even begun trying things as I'm feeling lost in a swamp of apache.
By all means, if this makes no sense please tell me and I will try to clarify.
For point 1. you need something like this (put it in file named thingsboard.conf in folder sites-enabled/ (add correct path to certificate/key):
<VirtualHost *:443>
ServerName thingsboard.apachenoob.com
ProxyPreserveHost On
SSLEngine on
SSLCertificateFile ...
SSLCertificateKeyFile ...
ProxyPass / http://localhost:9090/
ProxyPassReverse / http://localhost:9090/
</VirtualHost>
<VirtualHost *:80>
ServerName thingsboard.apachenoob.com
Redirect / https://thingsboard.apachenoob.com/
</VirtualHost>
I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.
I have just installed SSL certs on a variety of sites. They work fine if I go directly to the https version of the site, but when I go to the http version, I get: "Reason: You're speaking plain HTTP to an SSL-enabled server port."
This is what SHOULD work but does NOT...
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Nor does any version of it
!=on =80 !=443, etc.
I even tried putting this in the vhost.conf file on the server.
My developers and I are out of ideas and we, shockingly, cannot find anything with the almighty Google to help us. Anyone have any thoughts?
Have you tried these from the Apache HTTPD wiki?
https://wiki.apache.org/httpd/RedirectSSL
https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
Ok, so in case others come across this issue, I wanted to update now that I've finally fixed. For us, we had some other stuff in our vhost.conf file that was interfering. Once I wiped it out and took some of this other advice, this is the code that ended up working in vhost.conf. The .htaccess file now has nothing in it as it is not needed.
## -- VIRTUAL HOSTS -- ##
NameVirtualHost *:80
<VirtualHost *:80>
ServerName dev.example.net
Redirect permanent / https://dev.example.net/
</VirtualHost>
<VirtualHost *:443>
#-SERVER CONFIG-#
ServerAdmin webmaster#example.net
ServerName dev.example.net
ServerAlias dev.example.net
DocumentRoot /var/www/html/example
#-SSL-#
SSLEngine On
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /etc/httpd/conf/ssl.crt/...
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/...
SSLCACertificateFile /etc/httpd/conf/ssl.crt/...
SSLCertificateChainFile /etc/pki/tls/certs/...
SSLCACertificateFile /etc/pki/tls/certs/...
#-LOGGING-#
ErrorLog /var/www/html/example/error_log
</VirtualHost>
I am using these rewrite rules to redirect my http request to https on my application with SSL certs.
RewriteEngine Off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
I think your problem comes very early, even before mod_rewrite is applied on the request.
Your VirtualHost listening on port 80 is an https virtualhost, but browsers are trying to speak plain http on port 80, and that does not work.
On Apache SSL is activated with :
SSLEngine on
This instruction should only be activated for your Virtualhost listening on *:443 (or any variations of something:443).
You should add some Virtualhost listening on port 80, supporting a bunch of ServerName and ServerAlias that could be used on that server (or maybe all the names, by ensuring this Virtualhost is the default one for port 80), and whose only job is to redirect on port 443.
here you can use links provided by #Anand Bhat to perform this task (and mod_rewrite is not needed).
But all theses 'redirect to https' tasks assume that you already have a working Virtualhost where https is not activated. Because if https is activated everywhere you cannot even start a discussion with the server to receive a redirection, there're no 'plain http' canal to receive this response or even to start asking for something.
I need a MediaWiki installation to require the use of https (and reject normal http). I've spent 2 hours looking. Setting $wgServer doesn't work and closing port 80 in httpd.conf doesn't work either.
My wiki installation is run on an Apache server.
I've just done this on Ubuntu 14 (for the first time today, so there may be a better way!) by setting
$wgServer = "//myhostname.com/mediawiki";
This makes the server name "protocol relative" so it works with either HTTP or HTTPS. You can probably just set it to https://... though.
Then configure apache2 to redirect all HTTP traffic to HTTPS:
Edit the default SSL configuration (this assumes you are just using the default site):
sudo vim /etc/apache2/sites-available/default-ssl.conf
to read something like:
# Redirect HTTP to HTTPS
<VirtualHost *:80>
ServerAdmin admin#example.com
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
# Normal HTTPS config for default site
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ServerAdmin admin#example.com
ServerName example.com
DocumentRoot /var/www/html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Enable the default SSL site, if you haven't already (this creates a link from sites-enabled to sites-available)
sudo a2ensite default-ssl
This assumes that you have already obtained an SSL certificate (I generated a self-signed one) which has been placed in /etc/apache2/ssl/apache.pem and /etc/apache2/ssl/apache.key as referenced in the config above.
Finally get apache to use the new config:
sudo service apache2 restart
(Or reload may be enough)
My answer assumes that you already have Apache listening for https traffic on port 443. If that's not the case, you need to set that up first. The procedure will be different depending on what operating system you are running.
You want to do this in Apache. On my Ubuntu system, there's a file /etc/apache2/ports.conf which contains the following line:
Listen 80
You will have a similar config file that contains that line. Delete it, and don't forget to restart Apache.
Another way to accomplish this, which allows for more complex Apache configurations where you allow HTTP access to some parts of the site, is to use a .htaccess file in your MediaWiki directory. Try this:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Given that your web server is set up to support https in general, insert or update the following line in your LocalSettings.php configuration file of MediaWiki:
$wgForceHTTPS = true;
This redirects all queries using http to https and is an alternative to a redirect rule in the web-server configuration.
See also:
$wgForceHTTPS
MediaWiki HTTPS Manual