Elasticsearch with apache2 ssl proxy - ssl

Recently I have been trying to get Elasticsearch to be usable over SSL. This has taken me on a fun route between apache to nginx to apache to nginx and now finally back to apache.
I needed LDAP for authentication which is why I stopped using nginx. I followed this https://gist.github.com/jerrac/0a8bd96e6c42eb84b6f2 for configuring my apache web server. The good thing is that I am able to access it. The bad thing is elasticsearch doesn't work when trying to look for indices. I use elasticsearch-head to make sure it wasn't anything else but it seems like elasticsearch is still being blocked even though I can reach the kibana webpage. Any help would be appreciated.
<VirtualHost *:80>
ServerAdmin systems#example.com
ServerName logstash.example.com
DocumentRoot /var/www/kibana/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/kibana/>
Options -Indexes FollowSymLinks -MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
#RewriteRule ^/(.*)$ https://logstash.example.com/$1 [R,L]
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin systems#example.com
ServerName logstash.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
SSLCACertificateFile /etc/ssl/certs/ca-example.cert
#RewriteEngine on
#RewriteCond %{SERVER_NAME} !=logstash.example.com
#RewriteRule ^/(.*)$ https://logstash.eaxmple.com/$1 [R,L]
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
DocumentRoot /var/www/kibana/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/kibana/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [7-9]" ssl-unclean-shutdown
#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#<Directory "/usr/lib/cgi-bin">
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
#</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Proxy http://127.0.0.1:9200>
#<Proxy http://logstash.example.com:9200>
ProxySet connectiontimeout=5 timeout=90
</Proxy>
# Proxy for _aliases and .*/_search
<LocationMatch "^(/_aliases|.*/_search|.*/_mapping|/_nodes)$">
#ProxyPassMatch http://logstash.example.com:9200
#ProxyPassReverse http://logstash.example.com:9200
ProxyPassMatch http://127.0.0.1:9200
ProxyPassReverse http://127.0.0.1:9200
</LocationMatch>
# Proxy for kibana-int/{dashboard,temp} stuff (if you don't want auth on /, then you will want these to be protected)
<LocationMatch "^(/kibana-int/dashboard/|/kibana-int/temp).*$">
#ProxyPassMatch http://logstash.example.com:9200
#ProxyPassReverse http://logstash.example.com:9200
ProxyPassMatch http://127.0.0.1:9200
ProxyPassReverse http://127.0.0.1:9200
</LocationMatch>
</VirtualHost>
</IfModule>


You should be able to do https://myserver/index_name/_search/ with the above configuration, if Kibana is working.
Your LocationMatches only allow very small subsets of information. You can either explicitly list your indexes (e.g., /index1/.*|/index2/.*) or come up with a more flexible mapping (e.g., have a known pattern in the index's name).
<LocationMatch "^/(_aliases|index1/.*|index2/.*|_nodes)$">
It is probably worth noting that it is very dangerous to expose your Elasticsearch database, even if it is using SSL because once you allow unfettered access, then they can fetch all data from them (among other risky operations), which defeats the purpose of encrypting the traffic for the most part.

Related

Redirect using virtual host domain name beginning with https

I am trying to redirect ME.com or www.ME dot com to https://NOTME dot com.
The code below works but when i type https://ME dot com it doesn't go to https://NOTME dot com. i get an error that page is unsecure.
code below:
<VirtualHost *:80>
ServerAdmin admin#ME dot com
ServerName ME dot com
ServerAlias www dot ME dot com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www dot ME dot com
RewriteRule ^/(.*)$ http://NOTME dot com/$1 [L,R=301]
Redirect permanent / https://NOTME dot com/
DocumentRoot /var/www/xxx/xxx/
<Directory />
Options FollowSymLinks
AllowOverride all
</Directory>
<Directory /var/www/xxxx/xxxxx/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Also note that i set ME.com had an https certificate that i removed which was set at virtual host port 443. Can i also still return the certificate to it?
Also both ME.com and NOTME.com are on the same server IP.

This is how i solved this problem:
<VirtualHost *:443>
ServerAdmin x#ME.com
ServerName ME.com
ServerAlias www.ME.com
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www.ME.COM/$
RewriteRule ^/(.*)$ https://NOTME.COM/$1 [L,R=301]
Redirect permanent / https://NOTME.COM/
SSLEngine on
SSLCertificateFile /xxxxxxxxxxxx.crt
SSLCertificateKeyFile /xxxxxxxxxxxx.key
SSLCertificateChainFile /xxxxxxxxxxxxxx.crt
Actually the solution was a permanent redirect to NOTME dot com

ProxyPass not overriding .htaccess mod_rewrite

We have an angular app with an apache server which uses .htaccess to rewrite requests to /index.html using
RewriteRule . /index.html [L]
But for a few paths, we want to use /whatever to route to a different domain. However, adding
ProxyPass /whatever whatever.site.com
to sites-enabled doesn't seem to override the .htaccess.
That full file looks like
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
ProxyPass /whatever https://whatever.com
ProxyPassReverse /whatever https://whatever.com
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Any suggestions?
Also, I know for sure that the sites-enabled file above is being used because if I put garbage-text into it the site crashes ;)

Your quoted virtualhost is probably not used for your test request, because proxy would always bypass mod_rewrite rules specified in .htaccess.
Maybe apachectl -S would give you a hint about which vhosts are present / being used. I see this vhost has no ServerName, so unless it's the first or only *:80 it will probably never be used.

.htaccess not working with SSL config

I followed this guide to get a free SSL certificate from StartSSL: https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps
I followed it step by step but I don't actually understand it fully as I'm a newbie.
I have .htaccess which stopped working after I put the below code into my 000-default.conf file:
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
This is what's in my .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^([a-zA-Z0-9\-]+)$ $1.php
ErrorDocument 404 /404error
</IfModule>
^ It's basically to be able to access a page like this domain/page rather than like this: domain/page.php
So as soon as I add the above code from the 000-default.conf file, the rewrite rule works fine. If I add it in, however, I can no longer access files without the .php at the end. My 404 redirect is also not working.
What is it that's causing the problem?

How to redirect subdomains to https main domain in apache

I have some site example.biz. I redirect all http request to https, but how redirect with subdomains(Excluding one host that is in a different configuration file)? I need something like this: If i write bla-bla.example.biz i must redirected to example.biz. But if ololo.bla-bla.example.biz - error. And all this redirection must be to https. To all this, I can not add *.example.biz to ServerAlias, because i have another site adm.example.biz. Now If I write something like any.example.biz, i left on the home page.
Config of example.com:
<VirtualHost *:80>
ServerAdmin i#example.com
ServerName example.biz
ServerAlias www.example.biz
UseCanonicalName On
DocumentRoot /var/www/example/webapps
LogLevel warn
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
ErrorLog ${APACHE_LOG_DIR}/example-error.log
CustomLog ${APACHE_LOG_DIR}/example-access.log combined
</VirtualHost>
https config:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin i#example.com
ServerName example.biz
ServerAlias www.example.biz
UseCanonicalName On
DocumentRoot /var/www/example/webapps/
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/example-error.log
CustomLog ${APACHE_LOG_DIR}/example-access.log combined
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/rockfutur/webapps/rockfutur/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.pem
SSLCertificateKeyFile /etc/ssl/private/example.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

Webmin login keeps looping to session_login.cgi

I've had a working webmin setup on a VPS, however after trying to force it to connect via HTTPS I've done goof somewhere and now whenever I try to login the login page doesn't display correctly (no blue rectange background) and trying to login via https://server1.domain.me:10000 keeps redirecting me to https://server1.domain.me:10000/webmin/session_login.cgi, which is again a login page.
Before it began malfunctioning, I had the following file in /etc/apache2/sites-available
<VirtualHost *:80>
ServerAdmin webmaster#domain.me
ServerName domain.me
ServerAlias www.domain.me
DocumentRoot /var/www/domain.me/
<Directory />
RedirectMatch temp ^/$ /public_html
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/domain.me>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/www/domain.me/redmine>
AllowOverride None
order allow,deny
allow from all
RailsBaseURI /redmine
PassengerResolveSymlinksInDocumentRoot on
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerSignature On
RailsEnv production
RailsBaseURI /redmine
</VirtualHost>
When I tried to force webmin (and owncloud if that matters) to use HTTPS I created a new Virtualhost for port 443 using my SSL keys and updated Virtualhost for port 80 to proxy all http://domain.me/webmin to https://server1.domain.me:10000 (I kept commented-out configs for you to see what I've tried):
<VirtualHost *:443>
ServerAdmin webmaster#domain.me
ServerName server1.domain.me
alias /owncloud /var/www/domain.me/owncloud
DocumentRoot /var/www/domain.me/
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/ssl/ssl.crt/server1_domain_me.crt
SSLCertificateKeyFile /etc/ssl/ssl.crt/server1.key
SSLCACertificateFile /etc/ssl/ssl.crt/COMODORSADomainValidationSecureServerCA.crt
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# <Location /webmin>
# RewriteEngine On
# #RewriteRule (.*) https://server1.domain.me:10000/$1 [R,L]
# ProxyPass https://server1.domain.me:10000/
# ProxyPassReverse https://server1.domain.me:10000/
# </Location>
<Directory /var/www/domain.me/owncloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Satisfy Any
<IfModule mod_rewrite.c>
RewriteEngine on
<IfModule mod_ssl.c>
RewriteEngine On
RewriteRule ^/?(.*)$ https://%{HTTP_HOST}/owncloud$
</IfModule>
</IfModule>
</Directory>
# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
# <Directory "/usr/lib/cgi-bin">
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
# </Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerSignature On
</VirtualHost>
and updated my domain.me virtualhost file to:
<VirtualHost *:80>
ServerAdmin webmaster#domain.me
ServerName domain.me
ServerAlias www.domain.me
#SSLEngine On
SSLProxyEngine On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
DocumentRoot /var/www/domain.me/
<Directory />
RedirectMatch temp ^/$ /public_html
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/domain.me>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/www/domain.me/redmine>
AllowOverride None
order allow,deny
allow from all
RailsBaseURI /redmine
PassengerResolveSymlinksInDocumentRoot on
</Directory>
<Location /owncloud>
ProxyPass https://server1.domain.me/owncloud/
</Location>
<Location /server1>
ProxyPass https://server1.domain.me/webmin/
</Location>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerSignature On
RailsEnv production
RailsBaseURI /redmine
#ProxyPassReverse /owncloud https://server1.domain.me/owncloud/
#ProxyPassReverse /webmin https://server1.domain.me:10000/
</VirtualHost>
I also added the lines webprefix=/webmin, webprefixnoredir=1 and referer=domain.me to /etc/webmin/config
However, something is clearly wrong here because I cannot login to webmin at all. I've been searching the web for an answer for the past 5 hours, tried a lot of thing and still no luck.
Any ideas?

There are 4 critical (and undocumented!) keys to get this to work, as I found through much aggravation!
1) When you edit /etc/webmin/config, make sure there is NO WHITE SPACE at the end of the webprefix=/webmin line. That will fix the problem where the login screen formatting is funky.
2) You need to be extremely precise in your use of slashes in your ProxyPass (and they don't match the official documentation!)
ProxyPass /webmin/ http://localhost:10000/
ProxyPassReverse /webmin/ http://localhost:10000/
3) You need to include cookie ProxyPass lines (again not in the documentation!).
ProxyPassReverseCookieDomain /webmin/ http://localhost:10000/
ProxyPassReverseCookiePath /webmin/ http://localhost:10000/
4) When you browse to Webmin, you MUST INCLUDE a trailing slash!
http://your.domain.name/webmin/
* UPDATE *
Pertaining to point 4:
To make sure the trailing slash is always present when you browse to Webmin, add these lines (prior to your proxy pass, if it matters?). With this added, if you forget to add the slash, Apache will simply do it for you:
RewriteEngine On
RewriteRule ^/webmin$ /webmin/ [R]

I had the same problem. I installed webmin set up apache with it, and after login screen, no redirection happened.But #MUHAHA was right. I set up my webmin with no /webmin directory, no nuthin!
I wrote a CNAME redirection rule in my domain provider. CNAME webmin.example.com to my raspberry pi's dynamic-dns service name.
my webmin.conf file in /etc/apache2/sites-enabled/ directory:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName webmin.example.com
ServerAlias webmin.example.com
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
ProxyPassReverseCookieDomain / http://localhost:10000/
ProxyPassReverseCookiePath / http://localhost:10000/
</VirtualHost>
after that i installed webmin... you know! :)
an then thanks to #MUHAHA, i changed that line 4043 in /usr/share/webmin/miniserv.pl file
change
&write_data("Location: $prot://$hostport$in{'page'}\r\n");
to
&write_data("Location: $prot://$host$in{'page'}\r\n");
and everythings peachy! Login redirects to the main page with ease!

#Buvinj
Im afraid, that this isnt enough..
To use proper SSL on Proxy, is needed to disable miniservers SSL
/etc/webmin/miniserv.conf
ssl=0
ssl_redirect=1
cookiepath=/webmin
/etc/webmin/config
webprefix=/webmin
webprefixnoredir=1
There are still problems with redirect after login, so this should help:
on webmin host edit file /usr/share/webmin/miniserv.pl
and on line 4043 replace
&write_data("Location: $prot://$hostport$in{'page'}\r\n");
to
&write_data("Location: $prot://$host$in{'page'}\r\n");
Source:
https://sourceforge.net/p/webadmin/discussion/600155/thread/6eb89f60/
But it doesnt work for me, i am redirected to root context (/) after login, not to /webmin context
EDIT:
$prot is always evaluated as http, even if you have ssl_redirect=1 in miniserv.conf
/usr/share/webmin/miniserv.pl
&write_data("Location: https://$hostport$config{'cookiepath'}$in{'page'}\r\n");
Rewrite rule for Location: in headers should also fix this problem.
EDIT2:
https://github.com/webmin/webmin/issues/350
https://github.com/webmin/webmin/issues/351