Subdomain forwarding to main domain on ssl requests only - apache

Below is a copy of my ssl.conf that I edited to remove any identifying information.
Currently, we have a wild card SSL cert, and multiple sub domains that we plan to host with this certificate. Apache confirms this should be possible
Right now, domain 2 is forwarding to www, but I can;t figure out why. In an effort to narrow it down, I removed the www virtualhost from the file altogether and redeployed.
the redirect still happened (and as the only vhost, it loaded the domain2 file structure)
I can't figure out where this redirect is happening. is it possible that there is an issue with the certificate? (I confirmed that the common name on the certificate is *.example.com)
Listen ip-of-server:443
LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin
AcceptMutex flock
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
NameVirtualHost ip-of-server:443
<VirtualHost ip-of-server:443>
SSLEngine on
SSLStrictSNIVHostCheck on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/apache/ssl/STAR.example.com.pem
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
ServerName "domain2.example.com"
DocumentRoot "/srv/www/domain2.example.com/public_html"
CustomLog "/srv/www/domain2.example.com/logs/access.log" combined
ErrorLog "/srv/www/domain2.example.com/logs/error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost ip-of-server:443>
SSLEngine on
SSLStrictSNIVHostCheck on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/apache/ssl/STAR.example.com.pem
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
ServerName "www.example.com"
DocumentRoot "/srv/www/www.example.com/public_html"
CustomLog "/srv/www/www.example.com/logs/access.log" combined
ErrorLog "/srv/www/www.example.com/logs/error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>

Turns out at some point we had a 301 redirect that pointed domain2 to www. Google chrome had cached that 301. disabling cache with devtools open caused page to load correctly over ssl.

Related

Apache SSL vhost won't use DocumentRoot but rather uses server webroot

I have an apache config using a DV wildcard cert. The ssl.conf is configured to use the certificate for all server traffic.
My vhost conf file has two virtual hosts defined there. A production vhost and a dev vhost. The conf file contents are;
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com
ServerAdmin webmaster#example.com
DocumentRoot /var/www/html/vhosts/prod_example_com/
<Directory "/var/www/html/vhosts/prod_example_com">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog "/var/log/httpd/www.example.com-error_log"
CustomLog "/var/log/httpd/www.example.com-access_log" common
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/comodo/STAR_example_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/csr/www_example_com.key
SSLCertificateChainFile /etc/pki/tls/certs/comodo/SectigoRSADomainValidationSecureServerCA.crt
</VirtualHost>
<VirtualHost *:443>
ServerName dev.example.com
ServerAdmin webmaster#example.com
DocumentRoot "/var/www/html/vhosts/dev_example_com"
<Directory "/var/www/html/vhosts/dev_example_com">
AllowOverride All
Require all granted
</Directory>
ErrorLog "/var/log/httpd/dev.example.com-error_log"
CustomLog "/var/log/httpd/dev.example.com-access_log" common
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/comodo/STAR_example_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/csr/www_example_com.key
SSLCertificateChainFile /etc/pki/tls/certs/comodo/SectigoRSADomainValidationSecureServerCA.crt
</VirtualHost>
So, when I go to https://dev.example.com, it works great. However, when I try to go to https://www.example.com, it instead goes to the Apache server webroot of /var/www/html.
Have I overlooked something?
Thanks in advance to any help offered?
I seemed to have found the issue. In my particular instance, the vhost.conf VirtualHost tags were change both to *:443, but what got everything back on track was commenting out ServerName www.example.com:443 from my httpd.conf and restarting Apache. I hope this helps someone else that may be suffering from this same issue.

Installed SSL on Apache server, page not responding

My question is about SSL installation. I purchased a new SSL for a website that's hosted on a Ubuntu 16.04 box with Apache 2.4.29. I was able to get this installed and I'm not getting any errors but my page is not redirecting. I've followed some guides (DigitalOcean) but feel as I'm missing something.
I have checked the sites-available files (000-default.conf, default-ssl.conf & example.com.conf) and I'm not seeing anything that's catching my eye, but I feel I migtht be missing something. I've checked the status of Apache and I'm not getting any errors and I've restarted the services several times to no avail.
Here's a general breakdown of what I have. Am I missing something? Is additional information required for setting this up?
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
Redirect "/" "https://example.com/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
SSLCertificateFile /root/example.com.crt
SSLCertificateKeyFile /root/www.example.com.key
SSLCACertificateFile /root/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>4
mydomain.com.conf
<VirtualHost *:443>
ServerAdmin admin#somedomain.com
ServerName mydomain.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/html
Redirect permanent / https://example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Here is my attempt at a combined configuration. Note that I do not have your setup to test it, but I have used similar configurations on production servers.
First define your port 80 VirtualHost (000-default.conf in your setup):
Listen 80
<VirtualHost *:80>
Redirect "/" "https://example.com/"
LogLevel debug
ErrorLog "${APACHE_LOG_DIR}/80_error.log"
CustomLog "${APACHE_LOG_DIR}/80_access.log" combined
</VirtualHost>
No need for a DocumentRoot since you redirect everything.
Then comment out default-ssl.conf. This file is an example of what you could do to setup an SSL enabled VirtualHost. If you use that file AND another VirtualHost on port 443, this one will always be used, since Apache uses the first VirtualHost it finds that matches the client's request (here port 443).
Another point, VirtualHost are not "added" to one another. Each is independent of the others and must contain a complete configuration. This means you cannot put some configuration in on VirtualHost on port 443, and some in another and expect it to work.
Then create your example.com.conf file:
Listen 443
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin#example.com
SSLCertificateFile "/root/example.com.crt"
SSLCertificateKeyFile "/root/example.com.key"
SSLCACertificateFile "/root/intermediate.crt"
LogLevel debug
ErrorLog "logs/443_error_log"
CustomLog "logs/443_access_log" combined
DocumentRoot "/var/www/example.com/html"
DirectoryIndex index.html
<Directory "/var/www/example.com/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Some notes:
I put the LogLevel at debug, so you can troubleshoot, but once it is working, change it to error. Otherwise you will have huge log files quickly!
For the same reason, I split the logs for port 80 and port 443. Each VirtualHost should have its own logs.
The certificate files must match the domain name. Not the filename (although it makes it easier to match), but the certificate itself.
If you want your certificate to cover example.com and www.example.com, both names must be added to the alternate names in the certificate.
I do not understand why you have Redirect permanent / https://example.com in your configuration. You are already in the https, port 443 VirtualHost.
The options based on <FilesMatch> directives in the default ssl configuration can be added if you want.
This setup will ensure that all http requests will be redirected to https://example.com. Then it will use the :443 VirtualHost, use the proper certificate for that domain and serve the content from the DocumentRoot directory.

How apache2 can deny connections to a domain which is not hosted

I am hosting website iplocation.io on a cloud server. I found a domain https://chrissloey.com/index.php which opens my website within it.
Now from what I understand, chrissloey.com has pointed it A record to my server ip and my apache2 server is not denying connection to it and allow's to open iplocation.io website content like its own.
I want apache2 to deny connections to any other domain and only allow my own domain to server content.
Attached is apache conf file for iplocation.io
<VirtualHost *:80>
ServerAdmin email#email.com
DocumentRoot /var/www/public_html
ServerName iplocation.io
ServerAlias www.iplocation.io
ErrorLog ${APACHE_LOG_DIR}/apache-error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/public_html>
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName iplocation.io
ServerAdmin email#email.com
DocumentRoot /var/www/public_html
SSLEngine on
SSLCertificateFile /path-to-csr
SSLCertificateKeyFile /path-to-key
SSLCertificateChainFile /path-to-ca
<Directory /var/www/public_html>
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
</IfModule
Looking at the two comments I think the combination makes most sense:
Configure httpd to respond with redirect (301) to all incoming requests. This could be done on the 'root' host.
Configure a virtualhost listening to your domain only, and this one would serve your real content only.
This will work unless the other site requests your content and then integrates it into their responses. But as you said someone else simply put up a DNS A record.

Apache really slow with alias

I face a really strange issue with Apache2 (v2.4.7).
Our sites have both domain.com and www.domain.com, with and without HTTPS
When I only enable one of them with SSL, it response take less than 0.01s.
When I enable both of them with SSL, it takes more than 1 minute to answer.
There's no issue with "classic" HTTP configuration file, only the one with SSL
I've tried both with independent configuration files, or with aliases. No matter, more or less the same big response time.
Here's the config file:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com # Fast when commented, slow when enabled
ServerAdmin webmaster#localhost
DocumentRoot /var/www/site
ErrorLog ${APACHE_LOG_DIR}/site-error.log
CustomLog ${APACHE_LOG_DIR}/site-access.log combined
<Directory "/var/www/site/blog">
AllowOverride All
Options FollowSymLinks
allow from all
order allow,deny
</Directory>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/domain.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/domain.com-0001/chain.pem
</VirtualHost>
</IfModule>
Do you have any idea how to fix this or where does the issue comes from?
Thank you for help ;)
That's strange. Are you sure if you have mod_alias enabled and loaded? You can find that out by issuing this command on a ssh console:
httpd -t -D DUMP_MODULES | grep alias
What you can try though it this: Get your server's ip (no matter if it's private or public) from your main ethernet card and use it in your apache configuration.
Replace:
<VirtualHost *:443> with <VirtualHost server-ip:443> for all your vhosts
Restart apache and try again

hosting multiple SSL certs on apache

I hope someone can give me a hand with this. I have 2 IPs that I can use to do this and need to host 2 different secure (SSL) domains on the same Apache server. I've read that as of Apache 2.2.something that a single IP can be used, using some sort of add-in but I want to keep this as simple as possible and am willing to use both IPs to accomplish this task. I already have the 2 signed certificates for the domains.
This setup that I am posting here, works, but the issue I am having is that when I go to domain2.net, I receive a browser warning telling me that the cert does not match the domain but matches domain1.com
I'm using CentOS 5 and Apache 2.2.3. CentOS has a ssl.conf file and these lines are what I believe are giving me trouble:
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
I was under the impression that I could override these values in the virtual host containers and reference the keys that I need but it doesn't appear that way. When I comment these two lines out in the ssl.conf file, Apache won't restart. The ssl_log hints: SSLCertificateKeyFile
These are my virtual containers:
<VirtualHost 2.2.2.2:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain2.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.net.key
DocumentRoot "/var/www/domain2"
ServerName domain2.net
ServerAlias domain2.net
DirectoryIndex "index.php"
<Directory /var/www/html/domain2>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost 1.1.1.1:444>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
DocumentRoot "/var/www/html"
ServerName domain1.com
ServerAlias domain1.com
DirectoryIndex "index.php"
<Directory /var/www/html>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
How can I get these two domains to work using SSL? I've also tried to use the same port for the different IPs but again, Apache won't restart.
I'm truly lost on this so if someone could lend a hand, I'd really appreciate it.
Great question!
I was able to get two SSL certificates working on the same server. You should be able to do what you are trying to do.
The things in your configuration that stand out as odd to me:
I'd suggest using port 443 for both SSL-protected sites. You should have a specific instruction in apache's conf files somewhere for listening on port 443. For me it is located in /etc/apache2/ports.conf
Listen 443
.
It seems odd that you have ServerName and ServerAlias both using the same domain per virtual host. Try making the ServerAlias different or leaving it out:
ServerName domain1.com
ServerAlias www.domain1.com
.
I am assuming that you replaced your IPs and domains in your posted conf. Even if they are not the actual IPs you are using, you might want to double check that they can get you to the right place outside of SSL (since obviously SSL is not working).
.
Check the apache2 error log for more information. For me the log is located at: /var/log/apache2/error.log . You can set it with:
ErrorLog /var/log/apache2/error.log
And finally, for your reference here is my ssl-default (ssl.conf). I replaced my domains and IPs with the ones you used in your example conf. I have multiple subdomains working with NameVirtualHost since I have a wildcard cert:
<IfModule mod_ssl.c>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
# 1.1.1.1 = domain1.com
<VirtualHost 1.1.1.1:443>
ServerName www.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/www.domain1.com/web
DirectoryIndex index.php index.html
</VirtualHost>
<VirtualHost 1.1.1.1:443>
ServerName secure.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/secure.domain1.com/
DirectoryIndex index.php index.html
</VirtualHost>
# 2.2.2.2 = *.domain2.com
<VirtualHost 2.2.2.2:443>
ServerName admin.domain2.com
ServerAdmin admin#domain2.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain2.key
SSLCertificateFile /var/www/ssl/domain2.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ErrorLog /var/log/apache2/error.log
DocumentRoot /var/www/domain2/secure.domain2.com/web
DirectoryIndex index.php index.html
php_flag display_errors on
php_value error_reporting 7
</VirtualHost>
</IfModule>
I hope this helps!!
You don't need a separate ssl.config file, but if you want to use one, then put your SSL <VirtualHost XXX:443> containers in your ssl.conf file rather than in your httpd,conf file.
The other option which we use on our site is to put the settings from the ssl.conf file in our httpd.conf file and rename the ssl.conf file to something like ssl.conf.bak (to keep it for reference).
It might help to put this Apache command before the first Virtual Host:
SSLStrictSNIVHostCheck on
This enabled me to have several different domains each with its own keys running on the same IP without getting confused.