Getting intermittent 400 Bad Request error - apache

I recently moved my website over from AWS to an Ubuntu server on Digital Ocean. I did this with a number of other websites - couple of Wordpress blogs, a simple static site, and this one, which is also a simple static site.
All of the other websites are fine, but for this one I'm getting the error 400 Bad Request (nginx) intermittently, even though I'm using Apache as the web server.
The Apache config is in /etc/apache2/sites-available/www.mysite.com.conf and looks like this:
<VirtualHost *:80>
ServerName www.mysite.com
ServerAlias mysite.com
ServerAdmin hi#me.ie
DocumentRoot /var/www/html/www.mysite.com
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The website is a single page static site (index.html) that lives in /var/www/html/www.mysite.com/
The DNS is:
A - # - 12.345.67.89 (not real)
CNAME - www - mysite.com
I see nothing at all in the logs (/var/log/apache2/*.log) when the 400 occurs, and all the normal stuff when it loads successfully. There appears to be no pattern as to when it works or doesn't - www or no www, browser, sometimes when I refresh lots of times it loads, sometimes it loads partially with the assets/images not loading (giving a 400).

Turns out unbeknownst to me there was a domain redirect in place, in addition to the A record. Seems to be the cause of the strange behaviour.

Related

Tomcat assets fail to load over Apache reverse proxy

Accessing my tomcat webapp over SSL (https) has been working for years, but recently something strange started happening, possibly related to using docker container tomcat:8-jdk8 (which is v 8.5.75) instead of tomcat:8.5.41-jdk8 (which is no longer available). When I try to access my tomcat app through Apache's reverse proxy, over SSL (https://example.com/myapp), the main wire framework HTML page loads, but all of the js and css assets get 404s because they are missing the app dir in the base url, so nothing visible actually loads on the page. For example, the html requests https://example.com/assets/ex.js instead of https://example.com/myapp/assets/ex.js (note myapp/).
However, I can access the app and everything is working 100% when accessed without Apache/SSL (http://example.com:8080/myapp).
Most strange of all, if I access the app without SSL (http://example.com:8080/myapp), and then in the same tab, change the url to the SSL path (https://example.com/myapp), then everything loads fine and functions properly. At that point, I can even Empty Cache and Hard Reload, and everything still loads fine over SSL. I checked the headers of all network requests, and everything is loading over SSL. This same behavior occurs in Chrome, Firefox, and Safari. However, in Chrome and Safari, if I visit any other website in that tab and then try to load my app over SSL, it fails; in Firefox, the same tab will keep loading my app regardless of interceding website visits.
The Apache config looks like this:
<VirtualHost *:80>
Servername example.com
## The following email address is setup in /etc/postfix/localusers
ServerAdmin webmaster#localhost
UseCanonicalName On
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://example.com%{REQUEST_URI} [R=301,QSA,L]
## R=redirect, QSA=keep any query string, L=last rule to evaluate, stop.
</VirtualHost>
<VirtualHost *:443>
Servername example.com
UseCanonicalName On
ProxyPass /myapp http://127.0.0.1:8080/myapp/
ProxyPassReverse /myapp http://127.0.0.1:8080/myapp/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyDepth 2
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/example_ssl-error.log
CustomLog ${APACHE_LOG_DIR}/example_ssl-access.log combined
</VirtualHost>
The tomcat config is the default config that comes in the tomcat docker container. I do not have a META-INF/ directory in my project.
Question 1: why does tomcat provide the correct URLs over Apache/SSL only after the browser first visits tomcat directly without Apache/SSL?
Question 2: How can I get this app to load over SSL all the time (by always including the app name in the base url)?
Source and target paths in your redirects are inconsistent. Remove the last / in the target path.
ProxyPass /myapp http://127.0.0.1:8080/myapp
ProxyPassReverse /myapp http://127.0.0.1:8080/myapp
The mapping with moreover / caused a double // in the path, which I guess caused problems down the road with processing the path in generation of the page.

Hostname SNI/HTTP mismatch for www.example.com but not example.com

I've had a look at this question, but none of the answers seem to apply. The errors aren't being generated by bots or deliberate attempts to test vulnerabilities - if I enter www.example.com in my browser's address bar (tested on multiple browsers), I will receive a Bad Request error, and the following error will be present in my log for that time:
Hostname example.com provided via SNI and hostname www.example.com
provided via HTTP are different
There are also no subdomains that would be causing the underscore issue mentioned in another answer.
I've attempted to add the following lines in my sites-available configuration file in the VirtualHost, but it didn't seem to have any effect:
ServerName example.com
ServerAlias www.example.com
The SSL certificate is from LetsEncrypt, currently valid, and the SANs appear to be correctly listed as www.example.com and example.com.
I've never seen an issue like this before, so I'm not even sure what other information might be relevant to the question.
if I enter www.example.com in my browser's address bar (tested on
multiple browsers), I will receive a Bad Request error, and the
following error will be present in my log for that time:
To make things clean, and to follow the general drifting away from www use on the Internet, I use this configuration in Apache, it will cause a redirect back to the https://example.com every time, making that the canonical domain part of the URL, which makes Google Webmaster Tools and Google Analytics happy.
Two virtual host files:
example.com.conf:
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/example.com/public
..
www.example.com.conf:
<VirtualHost *:80>
ServerName www.example.com
Redirect permanent / https://example.com/
CustomLog ${APACHE_LOG_DIR}/access_example.log vhost_combined
</VirtualHost>
On Apache to start up the website:
a2ensite example.com
a2ensite www.example.com
service apache2 reload
Install the Let's Encrypt certificates:
letsencrypt --apache -d example.com -d www.example.com
I have been running this configuration for years on 20+ live websites and only see the automatic redirect from the www.example.com to the example.com in the browser, so no errors.
But having said that, I monitor my logs closely and I see this:
Hostname example.com provided via SNI and hostname www.example.com provided via HTTP are different
It will come up randomly at random times on a subset of my websites. It appears to be the noise of the Internet, no real consequence.

Request to apache2 server always redirects to /var/www (Index of /) site

I am currently trying to setup an virtual hosts following this tutorial on DigitalOcean.
The dummy-site I am trying to serve is under /var/www/example/html/index.html. I have not registered an official domain but setup /etc/hosts/ to resolve example.com to the IP address of my server.
I created another conf file called example.conf under /etc/apache2/sites-available and enabled it with sudo a2ensite example.conf and disabled the 000-default.conf.
Now whenever I go to example.com in my browser I get served:
.
This is the same page I would get when directly going to the IP address of my server. Only when I got directly to example.com/example/html I get served the correct index.html.
My current config looks like this:
<VirtualHost *:80>
ServerAdmin admin#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
And my /etc/hosts file on my laptop like this:
#<ip-address> <hostname.domain.org> <hostname>
<server-ip> example.com
There are some other folders inside /var/www/ as the company I rented the server from had some maintenance sites preinstalled, but that shouldn't matter in this situation. (See edit, this did actually matter).
It feels like I am missing something obvious here, but I can't find a solution for my problem.
Edit:
The obvious thing I was missing, was that 2 additional sites where enabled by default as well.
One had the following contents:
# 10_froxlor_ipandport_<ip-address>.conf
# Created 28.11.2019 21:05
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
<VirtualHost <ip-address>:80>
DocumentRoot "/var/www/"
ServerName <predefined Server name>
</VirtualHost>
After disabling all the other sites, the request to example.com actually went to the right index.html.
I figure, that the above enabled site actually matched the request coming from my browser and showed the www root directory.
The obvious thing I was missing, was that 2 additional sites where enabled by default as well.
One had the following contents:
# 10_froxlor_ipandport_<ip-address>.conf
# Created 28.11.2019 21:05
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
<VirtualHost <ip-address>:80>
DocumentRoot "/var/www/"
ServerName <predefined Server name>
</VirtualHost>
After disabling all the other sites, the request to example.com actually went to the right index.html.
I figure, that the above enabled site actually matched the request coming from my browser and showed the www root directory.

Subdomains with Apache Virtualhost

I have a server and registered a domain - say mysite.com - that is pointing to the IP address of the server. I tested the setup with a django project in the default.conf file. This works without a flaw, but my goal is to move this django site to a subdomain. As this didn't work as expected, I tried to get a minimal example working with a redirect.
This is what I have:
sites-available/sub.conf
<VirtualHost *:80>
ServerName sub.mysite.com
RedirectPermanent / https://google.com/
</VirtualHost>
I enabled the site via a2ensite sub and service apache2 reload. When visiting sub.mysite.com all get is
Server not found
What am I missing?

Q: Disable access to default vhost and through server IP on Apache 2.4.10

I'm trying to get Apache 2.4.10 on Debian 8 "Jessie" up and running with multiple websites hosted on it. This might be an obvious and already answered question but I've never had the need to set-up a dedicated web host (usually just drop a WAMP server for development needs or pick up a web hosting service) and so far I have not had any luck finding an answer to my problem (I've found the complete opposite answers of what I'm trying to achieve). I need to get this working because apart from just hosting a couple of websites, there will be additional software set-up, for which, a regular web hosting service won't do.
Everything seems to be working as intended but the only problem is that I can't seem to find an optimal configuration which wouldn't just block access to default vhost with 403 - Forbidden. What I need is Apache to ignore requests (not just return a 404 document but tell the browser there's nothing there) from anyone accessing the default vhost or by accessing the server directly through it's designated IP. The designated IP should be left for SSH access only (since I don't have any kind of physical access to this server).
Basically, the web server should be accessible from a web browser through "FQDN-1" and "FQDN-2" (each located in their individual directories) and access to any other web address on this server should be ignored (invoking browser "404 not found" instead of returning a server error document, which would indicate that something is there).
my current vhost files:
<VirtualHost *:80>
ServerName FQDN-1
ServerAlias www.FQDN-1
ServerAdmin mail#FQDN-1
DocumentRoot /var/www/FQDN-1/public_html
ErrorLog /var/www/FQDN-1/logs/error.log
CustomLog /var/www/FQDN-1/logs/access.log combined
</VirtualHost>
And
<VirtualHost *:80>
ServerName FQDN-2
ServerAlias www.FQDN-2
ServerAdmin mail#FQDN-2
DocumentRoot /var/www/FQDN-2/public_html
ErrorLog /var/www/FQDN-2/logs/error.log
CustomLog /var/www/FQDN-2/logs/access.log combined
</VirtualHost>
The default vhost has been disabled through "a2dissite 000-default"
Iptables block everything except tcp port 80 and 22 (SSH access is whitelisted in iptables to just few specific iPs).
You can let the built-in name-based vhosting do the work for you. You can simply setup an additional (non default / non-first listed for *:80) virtualhost with
ServerName your-ip
and put a simple rule like
RewriteEngine ON
RewriteRule ^ .* [F]
or
Redirect 403 /