How to configure make Zabbix accessible using HTTPS? - Ubuntu Apache!
Currently Zabbix is accessible on Intranet via http://192.160.1.1/zabbix where I would like to setup to access it like https://192.160.1.1/zabbix
Thanks
I managed to arrange SSL on my Zabbix site by having a named vhost (mytest.site.com) with any docroot (/var/www/mytest.site.com/public_html). Zabbix hooks into any /zabbix url, so it doesn't really matter which one. It is important that you have a valid DNS resolving to your vhost. Then use Letsencrypt to create a SSL certificate for that vhost and have it forward traffic to port 80 to port 443 (see https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04 for installation details).
Related
I have hosted website with a different port like http://example.com:8888
Its working fine but when I try to access with HTTPS(https://example.com:8888) it's giving me ERR_SSL_PROTOCOL_ERROR (This site can’t provide a secure connection)
I am using XAMPP and I have also configured an SSL certificate.
Please help me to configure with HTTPS.
You need to enable ssl in the VH listening on the new port
SSLEngine On
and you have to provide all the proper configurations required such as the keyfile, and the certificate file.
Official doc: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
I have two iis websites. One I have a localhost on port 80 and was setup for dydns with ssl port forwarding external: 443 and internal port:1124 and the website is working perfectly with dydns access.
I wanted to setup another website with the ssl port but was unable to do so. As when I set the port forwarding external Ssl:443 and the internal ssl port:1129. the other dydns entry redirects to the first website. This website does not work without https.
So. How do I setup two websites for ssl port forwarding on the same machine?
Any help is appreciated.
You don't necessary need an entirely different port for each website you host on the same machine. You can use the same http/80 and https/443 to serve multiple website through virtual hosts.
I'm not familiar with IIS, but I do know that it's possible on IIS just like Apache and NGINX does. You can read about setting up virtual hosts on IIS here. Also I answered a similar question here.
I use a Bitnami MEAN installation (https://bitnami.com/stack/mean) v 3.2.11 on EC2. I didn't do any extra modifications of the apache2 setup except for the rerouting the port where my app runs to port 80, like this
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
Now my app is available fine on :80 port via http:// but I can't make it run via https://. But access via https is what I wanted to achieve. I could not figure the right step by step guide on how to create or enable SSL. All Bitnami docs sound like it's assumed to be working already.
As far as I understood from - https://docs.bitnami.com/aws/components/apache/#https-port the basic certificate is already included into the setup so you can make use of that one without creating your own. The only thing you need is to enable it - That may be wrong assumption, let me know.
Also here on bitnami support it says
Apache waits for HTTPS requests on port 443. Change that by editing
the /opt/bitnami/apache2/conf/bitnami/bitnami.conf file and modifying
the value specified in the Port directive. For example:
Listen 8443
Does that mean that I need to reroute my :5000 port to :8443 ??
I've also found this question - Installing SSL on AWS EC2 Bitnami Mean Stack that didn't recieve a proper answer for more than a year.
Does that mean that I need to reroute my :5000 port to :8443 ??
No, you don't need to redirect that. Your problem is that you're proxy-passing every request from port 80 to 5000 (where your app runs) but when using HTTPS your requests use the port 443. Those request are not being proxy-passed to port 5000 and, therefore, your app doesn't receive them.
What Apache configuration file did you modify including those lines? You need to be sure that both the VirtualHosts for port 80 and the one for port 443 include the ProxyPass redirections. For example, if you edited the file /opt/bitnami/apache2/conf/bitnami/bitnami.conf, ensure you add it in the Virtualhosts <VirtualHost _default_:80> and <VirtualHost _default_:443>
As far as I understood from - https://docs.bitnami.com/aws/components/apache/#https-port the basic certificate is already included into the setup so you can make use of that one without creating your own.
Yes, the Bitnami Stack includes a dummy certificate. However, it's recommended to create your own one since the browsers won't recognize it as a valid one since it's self-signed. You can find more information in the link below:
https://docs.bitnami.com/aws/components/apache/#how-to-create-an-ssl-certificate
I have a wildcard SSL certificate on my apache server. It works perfectly with my domain, but the mistake is that it works with all the domains on my apache server ! And I don't want it, when I go on https://www.mywebsitewithouthttps.com, firefox tell me that the page is not secure because the certificate is for www.mydomainwithhttps.com. If I add an exception for this SSL error on my browser, it is not "mywebsitewithouthttps.com" that is display but "mydomainwithhttps.com" (on this URL : https://www.mywebsitewithouthttps.com) !
I don't want my certificate to work for all the other domains ! It's a big problem because Google is crawling and indexing all my other domains on HTTPS with the content of mydomainwithhttps.com :-(
This my virtualhost for SSL :
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.mydomainwithhttps.com
DocumentRoot "/home/mydomainwithhttps/www"
suPHP_Engine On
suPHP_AddHandler x-httpd-php
suPHP_UserGroup mydomainwithhttps users
AddHandler x-httpd-php .php
SSLEngine on
SSLCertificateFile /certificates/ssl_certificate.crt
SSLCertificateKeyFile /certificates/www.mydomainwithhttps.com.key
SSLCACertificateFile /certificates/IntermediateCA.crt
</VirtualHost>
If you make a HTTPS request the client will establish a TCP connection to the relevant IP and port (usually 443) at the server. If the connection succeeded it will start the TLS handshake and during the TLS handshake it will get the certificate for validation.
If you have multiple servers at the same IP address and port they all share the same TCP listener. Since the TCP connection attempt has no information about the targets server name but only has the targets IP address and port the listener will accept all connection attempts, even if the (yet unknown) target hostname has no HTTPS configured.
Modern clients then send the target hostname inside the TLS handshake and only then the server knows what the client wants. If it has HTTPS configured for the requested name the server can send the appropriate certificate. If HTTPS is not configured for this name the server will either send a default certificate or close the connection (maybe send a TLS alert when closing).
In summary this leaves you with the following options:
Use a different IP address for HTTPS sites and non-HTTPS sites. This way the TCP connection will already fail because the server is not listening for connections on this IP:port.
Configure your server to return an error when the client requests a hostname for which no HTTPS is configured. This way the client will probably get some strange error message about HTTPS problem in the browser. I'm not sure but maybe you can setup Apache this way when using the SSLStrictSNIVHostCheck on option. If this option does not help then apache might not support this kind of setup.
Configure your server to use a default certificate (usually the first configured certificate) whenever the name does not match or the client does not support SNI. The client will get a certificate mismatch warning in the browser. This is the setup you currently have.
Setup HTTPS properly for all domains either by having separate certificates or by including them all into a single certificate.
Thus to make sure that the bots don't assume that your site can do HTTPS you need to go with option 1 or 2. Please note also that in all of these cases you expect the bots to support SNI, which not all do. Therefore for best compatibility you would need to use a separate IP address for each HTTPS site.
You can configure the multi domain with SSL and with different certificate on both UBUNTU and RHEL by following multi donain with ssl
The problem is that Apache will try to find config for https://www.mywebsitewithouthttps.com/ and when it doesn't, it will default back to the first https config (the one for mydomainwithhttps).
This will show a cert error but, as you've experienced, if you click through, you see the wrong site.
I cannot however understand Google crawling and indexing the site. I would have thought it would have stopped when it saw the cert error? I'd be very surprised if that is not the case but if it's not you can put a rewrite rule on for those hostname a to redirect back to http.
There's only 2 ways around this:
Get certs for the other domains so you can connect via https. You can still redirect back to http if you really want.
Separate out the servers with https to a different server (or a different IP on the same server and set up Apache config to listen on port 443 on https IP address only).
That's just the way Apache (and most - if not all - other webservers) work.
I have a vps running on ubuntu 12.04 with apache2. My question is, if I am going to install ssl cert and etc. to it am i able to use https directly to my domain? I just add A Record at my domain provider with the VPS IP Address.
Essentially, yes.
Remember to make sure that Apache is listening on https (and it's setup as it should be with the certs and mod_ssl) and if you have a firewall active, the port for https (443) is open.
Otherwise, all you would need to do is add your record to the DNS server.