We Keep Coding

Debugging 400 when using VirtualHost with custom hostname (apache)

This setup was working on an ubuntu 14.04 until a recent update (probably the update/ change in package itself is old).
An internal DNS resolves "piwik.7l" to 192.168.1.17 .
192.168.1.17 serves an apache with piwik on it and following conf
<VirtualHost *:80>
ServerName "piwik.7l"
ServerAlias www.piwik.7l
</VirtualHost>
The setup now does work if addressed by IP, but responds with a 400 Bad Request if browsed to via its domain (piwik.7l). The 400 page does contain
Apache/2.4.7 (Ubuntu) Server at piwik.7l Port 80 and after setting the LogLevel to debug, I see following messages in the error.log:
[Mon May 22 15:12:33.566249 2017] [core:debug] [pid 1559] vhost.c(794): [client 192.168.1.112:38587] AH02415: [strict] Invalid host name 'piwik.7l', problem near: .7l
[Mon May 22 15:12:33.566316 2017] [core:debug] [pid 1559] vhost.c(889): [client 192.168.1.112:38587] AH00550: Client sent malformed Host header: piwik.7l
[Mon May 22 15:12:33.566326 2017] [core:debug] [pid 1559] protocol.c(1356): [client 192.168.1.112:38587] AH00569: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
In scroll-friendly
[strict] Invalid host name 'piwik.7l', problem near: .7l
AH00550: Client sent malformed Host header: piwik.7l
AH00569: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
I tried various combinations of IP, port and domain name usage in the VirtualHost/ServerName/ServerAlias blocks and disabled all other VirtualHost-definitions.
To me it sounds as if Apache would try to validate the "tld" part of the domain (7l) in a strict way. Is there any way I can disable that or debug it further?
Edit
The relevant parts of apache2ctl -S:
VirtualHost configuration:
*:80 piwik.7l (/etc/apache2/sites-enabled/000-default.conf:1)
Edit 2
ping piwik.7l does resolve fine from the webserver and from my machine.

Thanks to #savedarios answer here: https://serverfault.com/questions/658537/apache-virtualhost-error-invalid-host-name/841984#841984
If found the solution to be the following change to my apache2.conf:
HttpProtocolOptions Unsafe

Installed self-signed SSL certificates, Apache won't start

I'm trying to build a website which requires the Stripe payment gateway, and therefore requires SSL. I'm using XAMPP on Windows 10. After generating SSL certificate and key pair and installing in Apache, Apache no longer starts.
I'm attaching a few error messages and configs. Please help.
This is message in Apache error log. It no longer reproduces these error messages. So something must've changed. I think I tried generating the certificate and key via a different method. But Apache still won't start.
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/xampp/apache/conf/ssl.key/server.key)
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] AH02311: Fatal error initialising mod_ssl, exiting. See C:/xampp/apache/logs/error.log for more information
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] AH02564: Failed to configure encrypted (?) private key www.loc1.dev:443:0, check C:/xampp/apache/conf/ssl.key/server.key
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sun Feb 19 15:45:25.312250 2017] [ssl:emerg] [pid 6508:tid 556] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
AH00016: Configuration Failed
This is the error I get when trying to start Apache from command line.
Apache 2 is starting ...
AH00548: NameVirtualHost has no effect and will be removed in the next release C:/xampp/apache/conf/extra/httpd-vhosts.conf:26
(OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : AH00072: make_sock: could not bind to address [::]:443
(OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : AH00072: make_sock: could not bind to address 0.0.0.0:443
AH00451: no listening sockets available, shutting down
AH00015: Unable to open logs
Here is the error that was posted in XAMPP Control Dialog.
1:16:13 PM [Apache] Error: Apache shutdown unexpectedly.
1:16:13 PM [Apache] This may be due to a blocked port, missing dependencies,
1:16:13 PM [Apache] improper privileges, a crash, or a shutdown by another method.
1:16:13 PM [Apache] Press the Logs button to view error logs and check
1:16:13 PM [Apache] the Windows Event Viewer for more clues
1:16:13 PM [Apache] If you need more help, copy and post this
1:16:13 PM [Apache] entire log window on the forums
This is what is in httpd-vhosts.conf. I'm trying to setup SSL for loc1.dev.
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName localhost
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs/loc.com/public_html"
ServerName loc.dev
ServerAlias www.loc.dev
<Directory "C:/xampp/htdocs/loc.com/public_html">
AllowOverride All
Require all Granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs/loc1.com/public_html"
ServerName loc1.dev
ServerAlias www.loc1.dev
<Directory "C:/xampp/htdocs/loc1.com/public_html">
AllowOverride All
Require all Granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs/foodharbor.org/public_html"
ServerName foodharbor.dev
ServerAlias www.foodharbor.dev
<Directory "C:/xampp/htdocs/foodharbor.org/public_html">
AllowOverride All
Require all Granted
</Directory>
</VirtualHost>
This is what I have in httpd-ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/xampp/htdocs/loc1.com/public_html"
ServerName www.loc1.dev
ServerAdmin jonathan.najman#gmail.com
ErrorLog "C:/xampp/apache/logs/error.log"
TransferLog "C:/xampp/apache/logs/access.log"
SSLEngine on
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
</VirtualHost>
This is what is in my hosts file (C:\Windows\System32\drivers\etc\hosts).
127.0.0.1 localhost
127.0.0.1 loc.dev
127.0.0.1 loc1.dev
127.0.0.1 foodharbor.dev
Am I missing anything?

I commented out Listen 443 in httpd-ssl.conf (C:\xampp\apache\conf\extra) and now Apache starts and the site is available on https and http. There must already be a directive elsewhere directing Apache to listen on 443 ...
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
#Listen 443

Is Apache compromised? No protocol handler was valid for the URL yandex.ru

I recently received an abuse report from Amazon (AWS) saying that my server was attempting to log in to forums and such. When I look at my error logs, I have lines and lines of:
[proxy:warn] [pid 2916:tid 1668] [client 82.117.234.134:6152] AH01144: No protocol handler was valid for the URL yandex.ru:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1668] [client 120.132.54.62:58004] AH01144: No protocol handler was valid for the URL www.baidu.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1672] [client 188.173.26.212:52049] AH01144: No protocol handler was valid for the URL l9bjkkhaycw6f8f4.soundcloud.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1668] [client 104.199.176.143:56048] AH01144: No protocol handler was valid for the URL www.amazon.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1744] [client 119.97.174.200:3700] AH01144: No protocol handler was valid for the URL zhifu.99.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1712] [client 113.189.16.238:60122] AH01144: No protocol handler was valid for the URL s.youtube.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
My httpd-vhosts.conf is configured with:
<VirtualHost *:80>
ServerName demo.mysite.com
DocumentRoot "D:/sites/mysite/www/"
<Directory "D:/sites/mysite/www/">
AllowOverride All
Require all granted
</Directory>
ProxyPreserveHost On
ProxyPass "/data" "http://localhost:8080/data/"
ProxyPassReverse "/data" "http://localhost:8080/data/"
Header set Access-Control-Allow-Origin "*"
ErrorLog "logs/demo.mysite.com-error.log"
CustomLog "logs/demo.mysite.com-access.log" common
</VirtualHost>
Starting the server for even just a minute creates about 300+ lines of the above logs. This leads me to several questions:
Is my server possibly misconfigured or is it infected with something?
Where should I look to find out how it got like this?
UPDATE/EDIT:
It turns out that I had ProxyRequests On because a tutorial said that I have to have it on for Reverse Proxy to work. It's now turned off (ProxyRequests Off) and everything is fine. Thanks to Configuring mod_proxy for Apache to reject wrong domain requests

Make sure thatyou don't confuse Forward and Reverse Proxies. ProxyRequests On is for Forward Proxies. If you don't configure it properly after that, your server is an open proxy for the world. This is what is causing all of the logs is everyone using your (now) proxy server to access the internet.
For Reverse Proxies, make sure that you have ProxyRequests Off and then follow the rest of the configuration like adding ProxyPass and ProxyPassReverse.
Thanks to Configuring mod_proxy for Apache to reject wrong domain requests for pointing out that it is possible to turn your Apache server into an open proxy on accident.

how to configure apache server to talk to HTTPS backend server?

I configured apache server as a reverse proxy and it works fine if I point a backend server as HTTP. That is:
I configured virtual host 443 like:
ProxyPass /primary/store http://localhost:9763/store/
ProxyPassReverse /primary/store http://localhost:9763/store/
Here users will access the server like https://localhost/primary/store
And this works fine... But I want to configure HTTP server like;
ProxyPass /primary/store https://localhost:9443/store/
ProxyPassReverse /primary/store https://localhost:9443/store/
When I configure like apache server gives 500 internal server error. What am I doing wrong here?
The error I get is:
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, you#example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
In the apache error log it states;
nt: SSLProxyEngine]
[Mon Aug 04 00:03:26 2014] [error] proxy: HTTPS: failed to enable ssl support for [::1]:9443 (localhost)
[Mon Aug 04 00:03:31 2014] [error] [client ::1] SSL Proxy requested for localhost:443 but not enabled [Hint: SSLProxyEngine]
[Mon Aug 04 00:03:31 2014] [error] proxy: HTTPS: failed to enable ssl support for [::1]:9443 (localhost)
[Mon Aug 04 00:03:51 2014] [error] [client ::1] SSL Proxy requested for localhost:443 but not enabled [Hint: SSLProxyEngine]
[Mon Aug 04 00:03:51 2014] [error] proxy: HTTPS: failed to enable ssl support for [::1]:9443 (localhost)
How to configure http server to talk to HTTPS server?

Your server tells you exactly what you need : [Hint: SSLProxyEngine]
You need to add that directive to your VirtualHost before the Proxy directives :
SSLProxyEngine on
ProxyPass /primary/store https://localhost:9763/store/
ProxyPassReverse /primary/store https://localhost:9763/store/
See the doc for more detail.

In my case, my server was configured to work only in https mode, and error occured when I try to access http mode. So changing http://my-service to https://my-service helped.

Am I being hacked?

Here are just a few lines from my Apache 2.0 error_log:
[Sun Nov 25 08:22:04 2012] [error] [client 64.34.195.190] File does not exist: /var/www/vhosts/default/htdocs/admin
[Sun Nov 25 14:14:32 2012] [error] [client 96.254.171.2] File does not exist: /var/www/vhosts/default/htdocs/azenv.php
[Wed Nov 28 03:02:01 2012] [error] [client 91.205.189.15] File does not exist: /var/www/vhosts/default/htdocs/user
[Wed Nov 28 03:44:35 2012] [error] [client 66.193.171.223] File does not exist: /var/www/vhosts/default/htdocs/vtigercrm
[Mon Dec 03 00:09:16 2012] [error] [client 82.223.239.68] File does not exist: /var/www/vhosts/default/htdocs/jmx-console
[Mon Dec 03 20:48:44 2012] [error] [client 221.2.209.46] File does not exist: /var/www/vhosts/default/htdocs/manager
[Thu Dec 06 07:37:04 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Thu Dec 06 07:37:05 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin
[Thu Dec 06 07:37:05 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin
[Thu Dec 06 07:37:06 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/pma
[Thu Dec 06 07:37:06 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/myadmin
[Thu Dec 06 07:37:07 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/MyAdmin
[Thu Dec 13 02:19:53 2012] [error] [client 96.254.171.2] File does not exist: /var/www/vhosts/default/htdocs/judge.php
The most common errors are requests for the "phpMyAdmin" file, and "w00tw00t.at.blackhats.romanian.anti-sec:)".
I can see the IP address that the requests are coming from. But who is "client"?
Thanks,
Shane.

This is just an automatic script deployed by many Script Kiddies looking for a security breach in your apache version/configuration. The signature w00tw00t is usually left by DFind.
Just use a program like fail2ban configured such as this example explains to avoid being flooded by these requests :
https://web.archive.org/web/20160617020600/http://www.userdel.com/post/18618537324/block-w00tw00t-scans-with-fail2ban
This does not necessarily mean you've been hacked, but the server has been scanned for vulnerabilities. However, if you use any of the software that you saw in those logs and it is an older version having known vulnerabilities, you should check your server for unusual files and login activities.

Requests for this are usually sent without a server header. Just create a default virtual host for requests that don't have a server header you expect and blackhole it. Also fun to log broken traffic and do reverse DNS to see if it's coming from another webserver (compromised?) and contact the owner based on whois database. You never know who's running silly scripts from a publicly identifiable server to scan for vulnerabilities and later exploit them over ToR tunnel. Use burner contact information if you don't want to bring attention to yourself.

To follow up on the answer given by #user823629, here is a default virtual host configuration I use on Apache 2.4:
<VirtualHost *:80>
# Default vhost for requests not matching IP or Host of other vhosts
ServerName blackhole
ErrorLog logs/error_log_default
CustomLog logs/access_log_default combined
Redirect 404 /
</VirtualHost>
<VirtualHost *:443>
# Default vhost for requests not matching IP or Host of other vhosts
ServerName blackhole
ErrorLog logs/ssl_error_log_default
CustomLog logs/ssl_access_log_default combined
CustomLog logs/ssl_request_log_default "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Redirect 404 /
</VirtualHost>
It redirects all requests to the default 404 page. SSL requests that do not match any other site will end up at the second VirtualHost definition, and will of course result in a certificate error, but this is expected and fine.
I put this in conf.d and give it a name of conf.d/0_default.conf so that it comes before other vhosts definitions and it is the default virtual host. This can be verified via:
apachectl -t -D DUMP_VHOSTS
or on Redhat/Fedora/CentOS distros:
httpd -t -D DUMP_VHOSTS
Other virtual hosts will match before this default vhost if:
Their IP address and port matches the VirtualHost definition more explicitly (IP-based virtual host), or
The request contains a Host header that matches the request (name-based virtual host). Otherwise, the request will fall back to the default blackhole virtual host defined above.
Be careful with VirtualHost definitions with IP addresses specified. Since these match before the blackhole, the wrong configuration can become the default for that IP. List the specific IPs in the blackhole if necessary.
See http://httpd.apache.org/docs/current/vhosts/details.html for more details on virtual host matching.

Unless you actually use /var/www/vhosts/default/ for hosting a website, this means you have requests going to the default host that are not being caught by your virtualhosts setup.
Disregard for a moment that these are malicious requests, because the underlying reason for these vhosts/default/ errors is you probably have SSL disabled for a virtualhost, & these are HTTPS requests caught up in the default server config.
You can add %v %V %p to your Apache access logging parameters in httpd.conf to see more info on what these requests are & what virtualhost/servername is handling them (%v %V) & on what port (%p) the requests are being made through (typically port 443 if it's HTTPS).
To fix the HTTPS aspect, I'd enable SSL & then put in a RewriteRule to send HTTPS requests to HTTP (if that's the intended behavior). More info about how to do that here.
Otherwise to help with script kiddies, the blackhole mentioned above is the way to go. Just make sure you aren't mistakenly sending legitimate web crawler/spiders requesting HTTPS to the same galactic death -- for instance Googlebot tests legitimate pages via HTTPS since that's the direction Google wants the web to head in.