I've tried many tutorials how to enable http2 on apache server; e.g.:
http://pixelinc.co/ubuntu-14-04-3-apache-http-2-web-server-setup/
https://www.gatherdigital.co.uk/community/post/how-to-setup-http-2-support/41
https://icing.github.io/mod_h2/howto.html
https://www.youtube.com/watch?v=8OM_eqRAsMM
etc...
But without success.
Here is my configuration:
$ apache2 -v
Server version: Apache/2.4.23 (Ubuntu)
$ apachectl -M
Loaded Modules:
...
http2_module (shared)
...
ssl_module (shared)
...
Here is my /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin info#example.net
DocumentRoot /var/www/html
ServerName example.net
ServerAlias www.example.net
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/$1
Protocols h2 http/1.1
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
When I'm trying load my page (https://example.net) in chrome, I can see this response header:
HTTP/1.1 200 OK
Date: Tue, 09 Aug 2016 12:05:08 GMT
Server: Apache/2.4.23 (Ubuntu)
Upgrade: h2
Connection: Upgrade, Keep-Alive
Last-Modified: Thu, 30 Jun 2016 14:22:30 GMT
ETag: "b18-5367f99a49580-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 538
Keep-Alive: timeout=5, max=100
Content-Type: text/html
Am I Missing something? Can you give me any hints?
Define "doesn't work". I see the upgrade header so looks good to me.
I suspect a problem with HTTPS setup.
Either you're in openssl 1.0.1 and using Chrome (which requires openssl 1.0.2 for ALPN support). Check it in Firefox or Opera to confirm.
Or 2 you're using older ciphers which are blacklisted under http/2. Add the following config to force decent HTTPS config where possible:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS"
Update Ubuntu 14.04 to 16.04 did it!
Have you added Protocols h2 h2c http/1.1 to /etc/apache2/apache2.conf ?
This have worked for me.
Before it was only in the sites-enabled conf.
Related
I'm installing SSL certificate in my website and I tried following steps but still not website not working in https and still working on http
I already bind my crt file in below
<VirtualHost _default_:443>
DocumentRoot /var/www/http
ServerName my_domain.com
SSLEngine on
SSLCertificateFile /path/to/coolexample.crt
SSLCertificateKeyFile /path/to/privatekey.key
SSLCertificateChainFile /path/to/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
After type this command apache2ctl configtest
it shows Syntax OK
But after type last command apache2ctl restart
It shows following error message
httpd not running, trying to start
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Action 'restart' failed.
The Apache error log may have more information.
To activate SSL encryption you need an extra VirtualHost for port 443. This is often done within Apache/conf/extra/httpd-ssl.conf which is platform dependend.
Within such a file you need an entry like (Windows example):
<VirtualHost *:443>
DocumentRoot "C:/webserver/html/my_html"
ServerName www.example.com
Protocols h2 http/1.1
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/portal.digipen.de-crt.pem"
SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/portal.digipen.de-key.pem"
SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-portal.digipen.de-crt.pem"
<IfModule headers_module>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set x-frame-options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLProxyEngine on
EnableSendfile off
EnableMMAP off
</VirtualHost>
I was all the day searching in google and here, and nothing works to me.
I have a Ubuntu 16.04 server with Apache 2.4 with multiple virtual hosts. I am trying to configure a Self-Signed SSL Certificate for one of my sites. I follow this two tutorials:
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04
But right know, if I try to enter my site, it's not visible. In Firefox, throw me a error like this:
Secure Connection Failed
The connection to the server was reset while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
If I tail the /var/log/apache2/error.log after run service apache2 restart I find this errors:
[ssl:error] [pid 14916] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=user#emial.com,CN=example.com,OU=Example,O=Example,L=Test,ST=Test,C=MX / issuer: emailAddress=user#emial.com,CN=example.com,OU=Example,O=Test,L=Test,ST=Test,C=MX / serial: 9AD648D7C9AD4A03 / notbefore: May 3 22:28:46 2017 GMT / notafter: May 3 22:28:46 2018 GMT]
[ssl:error] [pid 14916] AH02604: Unable to configure certificate example.com:443:0 for stapling
And I don´t understand what is wrong. My Virtual Hosts look like this:
<VirtualHost *:80>
DocumentRoot /var/inetpub/example.com
ServerName example.com
ServerAdmin user#email.com
ErrorLog "${APACHE_LOG_DIR}/example-error.log"
CustomLog "${APACHE_LOG_DIR}/example-access.log" common
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin user#email.com
ServerName example.com
DocumentRoot /var/inetpub/example.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example.com/apache-selfsigned.crt
SSLCertificateKeyFile /etc/apache2/ssl/dexample.com/apache-selfsigned.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
<Directory /var/inetpub/example.com>
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
# Require all granted
</Directory>
The files /etc/apache2/ssl/example.com/apache-selfsigned.crt and /etc/apache2/ssl/dexample.com/apache-selfsigned.key exists. I don´t understand what is the problem... What should I check?
Thanks.
EDIT 1:
In the virtualhost I added this line:
SSLUseStapling off
And the error no longer appears in error.log, but I still can´t enter the site with https in the browser. I don´t if this help, but if directly in the server I use enlinks:
elinks https://www.example.com
This load me the site correctly. But if I try to enter in my computer browser, I can´t see it. The url without https works fine in both.
To turn SSLUseStapling off as suggested from above DOSE NOT work, at least for my case. The web server apache2 suddenly went down.
I have to comment out these lines in 000-ispconfig.vhost, and it works with http
#SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
#SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
I would like to have ONLY https traffic. I want all of it to be driven to https://example.com and https://www.example.com.
At present this is what works and doesn't work:
https://www.example.com - ok!
http://www.example.com - shows a list of files in my webroot for some reason
https://example.com - This site can’t be reached / example.com refused to connect.
http://example.com - The example.com page isn’t working. example.com didn’t send any data.
I am using Ubuntu 14 (trusty) and here is my current enabled virtual host config:
<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerAdmin info#example.com
ServerName www.example.com:443
ServerAlias example.com:443
DocumentRoot /var/www/example.com/public_html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Any help much appreciated as going nuts!
Did you tried made permanent redirect? https://wiki.apache.org/httpd/RedirectSSL
I am unable to get my apache2 instance to run on https.
I have a running website that works on http with a couple of aliases. I installed a self signed certificate and added the entries to the conf file. So far so good.
At this juncture apache2ctl configtest says OK.
I run a2enmod ssl and ssl get enabled
apache2ctl configtest or a service apache2 restart both fail with this error
Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/ssl.load: Cannot load /usr/lib/apache2/modules/mod_ssl.so into server: /usr/lib/apache2/modules/mod_ssl.so: undefined symbol: ap_map_http_request_error
Action 'configtest' failed.
verified that mod_ssl.so is in the specified path
verified that the ln to files in sites-enabled is correct
certificate files exist in the specified path
my ssl conf files look like this:
<IfModule mod_ssl.c>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
ServerName www.myserver.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
How do I fix this?
I'm having some problems with caching images on my web app. The images are cached after refreshing, but when I reopen the browser it's not cached anymore. I'm using HTTPS, but I'm not sure it's the problem. This is the response from the server:
Response Headers
Accept-Ranges: bytes
Cache-Control: public
Connection: close
Content-Length: 3711
Content-Type: image/png
Date: Mon, 21 May 2012 14:08:46 GMT
ETag: "446b5-e7f-4c0559b8c1c9f"
Expires: Wed, 20 Jun 2012 14:08:46 GMT
Last-Modified: Fri, 18 May 2012 20:43:41 GMT
Server: Apache/2.2.22 (Amazon)
And our httpd.conf
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
ServerName [REMOVED]
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName [REMOVED]
#Force image type
AddType image/png .png
AddType image/jpeg jpeg jpg jpe
AddType font/x-woff .woff
#Cache
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(png|jpg|jpeg|gif)$">
ExpiresDefault "access plus 1 month"
Header set Cache-Control "public"
</FilesMatch>
#Logs
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
#SSL
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile [REMOVED]
SSLCertificateKeyFile [REMOVED]
SSLCertificateChainFile [REMOVED]
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#Proxy
DocumentRoot [REMOVED]
ProxyPreserveHost On
ProxyRequests Off
ProxyPass [REMOVED] http://localhost:8081/[REMOVED]
ProxyPassReverse [REMOVED] http://localhost:8081/[REMOVED]
ProxyPassReverseCookiePath [REMOVED] /
Alias [REMOVED] [REMOVED]
</VirtualHost>
Any clue? Thanks!
The headers are fine. Cache-Control: public and future Expires should do the job.
It seems like it's the browser's decision not to store the cache permanently (that kind of paranoia about HTTPS data is typical), and I don't think you can do anything about that.