I have a server running lots of virtual machines, but only one public IP (and absolutely no way to obtain more). Many of these VMs use port 80 to display web content. At the moment, I use different ports to access these WebUIs, such as mydomain.com:9000, mydomain.com:7000, and so on.
What I want is to have subdomains, more like service1.mydomain.com, service2.mydomain.com...So I create a proxy VM onto which I redirect everything coming from port 80 and redirecting to internal IPs based on what the subdomain is.
Now my problem is the following: I have an SSL certificate from mydomain.com/www.mydomain.com. How can I set it up so the proxy propagates it? To me, the solutions are:
the certificate is on the proxy, so the proxy does this:
internal VM:http ---> proxy: http to https ----> outer world: https
the certificate is on the VM hosting the service and the proxy does not propagate the certificate, so the proxy does this:
internal VM: https ---> proxy https to http ---> outer world: http
the certificate is on the VM hosting the service and the proxy propagate the certificate, so the proxy does this:
internal VM: https ---> proxy: https ---> outer world: https
I'd prefer the last solution, but I don't know how to set it up on both Apaches, knowing that Apache on SSL-enabled VMs is configured as is:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
TransferLog ${APACHE_LOG_DIR}/transfer.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
CustomLog ${APACHE_LOG_DIR}/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Thanks in advance ;)
Related
I have an issue with my virtual host SSL configuration.
My site works on the basic domain www.my_domain.com for both HTTP and HTTPS but doesn't work on all the subdirectories.
Example:
http://www.my_domain.com - works
https://www.my_domain.com - works
http://www.my_domain.com/secondary - works
https://www.my_domain.com/secondary - doesn't work
My virtual host setup is as follows:
<VirtualHost *:80>
ServerAdmin my_domain#gmail.com
DocumentRoot /var/www/html/
ServerName www.my_domain.com
ServerAlias my_domain.com
ErrorLog /var/www/html/error.log
Alias /secondary /var/www/html/secondary/
<Directory /var/www/html/secondary/>
Options FollowSymLinks MultiViews
allow from all
order allow,deny
AllowOverride All
</Directory>
</VirtualHost>
My ssl.conf setup is as follows:
<VirtualHost _default_:443>
ServerName www.my_domain.com:443
...
SSLEngine on
SLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
The error is: The requested URL /secondary was not found on this server.
Since it solved the OP`s problem, here is my comment as an answer.
Your SSL VirtualHost does not define a DocumentRoot, so it does not know where to look for /secondary. /secondary is only defined in your HTTP (port 80) VirtualHost. You have to put all the configuration in both if you want both to return the same content.
I have wamp server with client authentication I generated for specific sub folder:
Now , I want to access my site instead of https://www.domain.com/subdomain/app1 by using https://app1.domain.com
When I try to access the url I do get asked to choose client certificate , but when I choose the matching one I get error 403 forbidden.
When I generated my certificate using OpenSSL , I've used *.domain.com as CN for the server key.
Here is my virtual host definition in httpd-ssl.conf
<VirtualHost *:443>
ServerName www.domain.com:443
DocumentRoot "c:/wamp/www"
ServerAdmin admin#domain.com
ErrorLog "C:/wamp/bin/apache/apache2.4.9/logs/ssl_error.log"
TransferLog "C:/wamp/bin/apache/apache2.4.9/logs/ssl_access.log"
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile "C:\wamp\bin\apache\apache2.4.9\conf\cert\server.cer"
SSLCertificateKeyFile "C:\wamp\bin\apache\apache2.4.9\conf\cert\server.key"
SSLCACertificateFile "C:\wamp\bin\apache\apache2.4.9\conf\cert\ca.cer"
<LocationMatch ^(?=.*/subomain/app1/)(?!.*/subdomain/app1/service).*>
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "App1Key"
</LocationMatch>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "c:/wamp/bin/apache/apache2.4.9/logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Also , I've created this vhosts.conf to allow subdomain.domain.com
<VirtualHost *:80>
ServerName www.domain.com
ServerAlias *.domain.com
VirtualDocumentRoot "C:\wamp\www\demo\%1"
ErrorLog "logs\errors.log"
<directory "C:\wamp\www\demo\%1">
Options FollowSymLinks
AllowOverride all
Order Deny,Allow
Deny from all
Allow from all
</directory>
</VirtualHost>
Update
I've added the following code to the ssl.conf based on an answer , but now the client certificate always works and it ignores the criteria of the LocationMatch
<directory "C:\wamp\www\demo\%1">
Options FollowSymLinks
AllowOverride all
Order Deny,Allow
Deny from all
Allow from all
</directory>
Lets say I want to have the equivalent criteria below to subdomain.domain.com
<LocationMatch ^(?=.*/subomain/app1//)(?!.*/subomain/app1//service).*>
#SSLOptions +StdEnvVars +ExportCertData
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "Shob"
</LocationMatch>
It's not your SSL setup that is giving the 403 forbidden.
Add this at the end of your <VirtualHost> block (just before the </VirtualHost> although it's only a preference to put it there) to give permissions to access the DocumentRoot folder for the virtual host:
<Directory "c:/wamp/www">
Order allow, deny
Allow from all
</Directory>
Or if you're on Apache 2.4 or later:
<Directory "c:/wamp/www">
Require all granted
</Directory>
You should also check if you had anything else in your previous <Directory> block when you had your previous setup, and bring that in too. For example, you might need to AllowOverride or set up some Options but the above will fix the problem you're asking about.
I'm trying to set up an Apache (2.4) server on Ubuntu. For now I'm just trying to get it to serve static pages from /var/www/html (although eventually I want to run a WSGI Python app).
Here's my sites-available/website.conf file:
<VirtualHost *:443>
ServerAdmin email#gmail.com
ServerName website.com:443
SSLEngine on
SSLCertificateFile /root/website.csr
SSLCertificateKeyFile /root/website.key
DocumentRoot /var/www/html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
(Replaced my actual domain with "website".)
When I try to connect to this by either going to my domain name or the server's IP, Chrome gives me ERR_CONNECTION_REFUSED ("This site can’t be reached").
I also tried with telnet:
root#website:/etc/apache2# telnet localhost 443
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
When I comment out all the lines to do with SSL from my config file, I can connect over telnet, but Chrome gives me ERR_SSL_PROTOCOL_ERROR ("This site can’t provide a secure connection", which I guess makes sense).
Here's also my ports.config, if that helps:
Listen 80
<IfModule ssl_module>
Listen 443
NameVirtualHost *:443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
(Yes, the SSL module is enabled.)
And the part of my apache2.conf that I often see referenced in similar questions:
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
This is my first time setting up an Apache server, so I'm guessing I'm messing up something simple here?
Check if ssl mode is activated here:
sudo a2enmod ssl
sudo service apache2 restart
My problem was here:
SSLEngine on
SSLCertificateFile /root/website.csr
SSLCertificateKeyFile /root/website.key
I was linking to the .csr, not the .crt. I also didn't link to something intermediate.
Here's how it is now, which fixed it:
SSLEngine on
SSLCertificateFile /root/domain.crt
SSLCertificateKeyFile /root/domain.key
SSLCertificateChainFile /root/DigiCertCA.crt
I have set up a virtual host to serve as a Web API in my company and due to the use cases we have configured a Django app that makes basic auth in a URL path. It was required to use cert auth, so in apache's side we configured client cert verification on another URL but seems not to be working, apache is allowing all traffic to this URL location, the request headers remain the same as if no auth was requested by the server.
The conf file is like this:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
WSGIPassAuthorization on
WSGIScriptAlias / /srv/www/site/site/wsgi.py
Alias /favicon.ico /srv/www/site/static/img/favicon.ico
Alias /static/ /srv/www/site/static/
Header set Access-Control-Allow-Origin http://127.0.0.1:9000
SSLVerifyClient none
SSLCACertificateFile ssl.crt/ClientCheck_CA.crt
DocumentRoot /srv/www/site
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /srv/www/site>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Location /api-certauth/>
SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +ExportCertData
</Location>
<Directory /srv/www/site/static>
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Basically, when I request http://server-name.com/api-certauth no auth was requested to my browser like any other URL in the server
Solved my problem, changed port 80 for 443
One of my magento stores (ready to go to production) has been all fine untill today I added SSL to the apache server. the SSL installation is fine with the padlock showing in the address bar.
the problem is after clicking \\"check out\\” the server goes to https and returns (I have rewrite on)
https://www.thedomain.com/checkout/onepage/
Forbidden
You don\\’t have permission to access /index.php on this server.
Apache/2.2.22 (Ubuntu) Server at www..... Port 443
the one page checkout works fine without SSL connection
my ssl configuration file (which stores the SSL key/certification locations) are as follows:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory \\\"/usr/lib/cgi-bin\\\">
AllowOverride All
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
....
....
<FilesMatch \\\"\\\\.(cgi|shtml|phtml|php)$\\\">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch \\\"MSIE [2-6]\\\” \\\\
nokeepalive ssl-unclean-shutdown \\\\
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch \\\"MSIE [17-9]\\\” ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Nothing added into the apache error log.
As it works well without SSL the issue must be caused by the SSL coonfiguration, I have compared the SSL vhost setting to the non-SSL vhost still no luck
Anyone offer some help? this is the last step before this store goes live…
error_log after rising verbosity shows:
Non-default virtual host with SSLVerify set to 'require' and
VirtualHost-specific CA certificate list is only available to clients
with TLS server name indication (SNI) support
Commenting out SSLVerify require in httpd.conf has fixed the problem.
Try setting the secure base url from backend with the exact url for eg https://www.yourdomain.com