I host 100+ websites on 2 different servers. Some of my clients recently have noticed that when they go to https://theirwebsite.com, if they DONT have SSL on their website, it redirects to the first SSL website in the apache conf file. I did some reading and discovered that SSL websites need their own IP addresses, so i switched the IP addresses of my SSL websites. However, i noticed that the problem is still happening. It's possible that there are still SSL websites that need to be removed or changed in httpd.conf, but is there a way to stop this from happening? Can i find a way to just make websites without https redirect to nothing if https is used?
it redirects to the first SSL website in the apache conf file.
This is because there are 2 sets of virtual hosts you have for apache: 1 that listens to port 80 (non-SSL) and one that listens to port 443 (SSL). Any non-SSL request gets sent to the vhosts that listens to port 80, and any SSL request gets sent to the chosts that listens to port 443. When a request is made for a host that isn't defined in any of the vhosts, it defaults to the "default" vhost, which becomes the very first one that gets defined (e.g. the first one that appears in your vhost file).
In order to prevent this, you can either have a defined SSL vhost for each of your non-SSL websites, or you can create a new "default" vhost in your SSL file that does nothing but redirect to non-SSL:
RewriteEngine On
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R]
Related
I have a site with two servers, apache2 and Tomcat7.
Apache2 listens to 80, while tomcat7 to 443.
Apache2 is needed to present a Wordpress blog, while Tomcat7 to serve a JSP site.
My virtualhosts scheme in Apache is like this:
http://blog.example.com ---> DefaultRoot for the blog
http://example.com ---> Redirect to https://example.com (where Tomcat listens)
Everything works fine. My original site in JSP always responds in https secure mode, while I have a working Wordpress in my "blog." subdomain.
The problem comes now that I want that blog interact with https (without any ugly 3rd port in the url if possible)
Making Apache2 to listen at 443 will obviously come to a conflict about 'port in use'.
Disabling it in Tomcat7 has no sense as somewhere it has to listen for ssl.
The question for you is: How would you face it?
Question:
Is it possible to use WampServer3 (Apache, PHP, MySQL) to work with my Application Load Balancer over port 443? If so how?
Issue:
Currently my application load balancer is connected to my instance and I have 2 listeners, Port 80 and Port 443. The listener on port 443 has an SSL Certificate attached to it that was generated by the AWS Certificate Manager.
My target group that is listening on port 80 is healthy and working properly.
My target group that is listening on port 443 is unhealthy and timing out.
I know that port 443 is failing due to the Apache settings but I am not sure how I am supposed to enable the port in Apache.
Based on everything that I have read, Apache requires you to have the physical file and key for the SSL in order for it to allow requests through port 443. I have tried to follow the instructions without those two things but WampServer3 will not restart without them.
I feel like there has to be a way to get this to work but I have hit a wall. Perhaps I am not searching for the right thing, or I am missing an additional module that needs to be used.
TLDR: Because the SSL that is generated by the AWS Certificate Manager cannot be physically downloaded, how can I get it to work with Apache on Windows 10 without having the file or key?
EDIT
So to my understanding I need to not only put the Rewrite code below in my <VirtualHost>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
I also need to put X-Forwarded-Proto: https at the top of my healthcheck.php page before the <html> tag? I'll keep reading about this since I don't fully understand it.
You have a listener on both 80 and 443 on your load balancer. The listener on 443 has the ACM cert.
You also say that you have one target group for each listener - one on 80 which is health, and one on 443 which is not.
The simple answer is to use one target group for both listeners. That way the connection to your end user is secure if they come in on 443, and only internal traffic between your ALB and instances uses HTTP. That way the health check will succeed, and your users will be able to use the site.
But that's not what most people really want - they want end-to-end security, and more than likely they want to redirect from port 80 to 443.
To force everyone to use 443, you will need a redirect rule in your apache config that checks to see if the incoming connection was secure. Because SSL is terminated on the ALB, you will need to check one of the X-Forwarded header values (See this) and redirect if say X-Forward-Port is 80.
To ensure that end-to-end traffic is secure, you can configure you listeners to listen on port 443 instead of port 80. You can use self-signed certificates for this, and I believe that some versions of Linux come with default certs. The ALB will not do certificate validation.
Edit:
In a comment, there was a question on where to put the rewrite code:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
If you have a single entry then this should work. If you have separate entries for port 80 and 443 AND you're using self-signed certs with different listeners, then you would need to put it in the port 80 virtual host entry.
I ended up not using the AWS Certificate Manager at all due to the hurdles that one has to overcome in order to get it to work.
Instead I found a great resource that provides SSL Certificates for free - LetsEncrypt. I would highly recommend this solution for everyone due to the ease of use. Plus they seem to be backed by many reputable companies.
I have an Apache server set up to listen on port 80 for a few domains and 443 on two of them (at least that's what I'd want).
So I have my Virtualhost *:443 with "my-ssl-domain.com" and "my-other-ssl-domain.com" ServerName. Both domains also have a Virtualhost *:80 that simply redirects to the HTTPS version using mod_rewrite. I'm using let's encrypt for both of them.
I also have multiple (>10) other domains that should only work via HTTP.
What happens is that if I go to "https://www.my-non-ssl-domain.com" browsers complain that there's no valid certificate. Google seems to also index that page and I'd like to avoid it as it seems to be bad SEO.
I'd like it to 301 redirect "https://www.my-non-ssl-domain.com" to "http://www.my-non-ssl-domain.com" or at least not answer at all, as if the domain with HTTPS simply did not exist.
How can I fix this?
There is no way to respond (without warning) to https:// request without the correct certificate, that is just how the protocol works.
There are several options, but none of them might be optimal for you:
Have two public IP addresses, use one for the sites with both http+https, and the other for http only. Then configure Apache to listen on port 443 only for the first one.
Let's encrypt certs cost (almost) nothing, so just go and get certs for all domain names (even if you for some reason don't want to serve content over https, at least you will be able to properly redirect visitors to http site)
I am not aware of the SEO consequences, but if you configure default <VirtualHost *:443> like this (you need to place it so that is the first VirtualHost :443 loaded by Apache, it is best to put it at the bottom of httpd.conf):
<VirtualHost *:443>
ServerName non.existing_host.noTld
</VirtualHost>
In that case, the clients will not get Certificate mismatch warning (NET::ERR_CERT_COMMON_NAME_INVALID), they will be disonnected due to SSL protocol error (ERR_SSL_PROTOCOL_ERROR) which may or may not be better for SEO, I really don't know.
I have 4 domains in my server:
domain1.com
domain2.net
domain3.com
domain4.net
The primary and SSL enabled is: domain1.com
I try a SEO permanent 301 redirection of all of them to https://www.domain1.com and works fine, the problem is that when someone tries to access any secondary domain prefixing it with https the redirection doest work.
Example: domain2.net (or any other of those with https prefix) will not redirect to https://www.domain1.com and get a SSL certificate error.
I believe this is because SSL request uses a different port: 443 and all the Rewrite Rules i made are just for 80 port.
Please help!
You get the SSL certificate error because the certificate does not match the name of the accessed server. Any redirects will only be done after establishing the SSL connection, which means you need to have a valid certificate for each domain you want to redirect from.
I'm trying to setup Apache HTTPD to work with Tomcat. Right now I have tomcat up and running and it is working fine (can access the web application by specifying the :8080 in the url). What I want to do is have Apache HTTPD redirect port 80 traffic to 443, have SSL become established, then have it reverse proxy traffic to Tomcat. The port 80 traffic redirect works using the REDIRECT directive (redirecting to https:// www. myregistereddomain.com). For some reason the virtual host directive is not resolving for the 443 traffic. I get an "Invalid method in request \x16\x03\x01" followed by "File does not exist: /usr/local/apache/htdocs/501.shtml" in the apache error_log.
Link pertaining to issue: http://www.noah.org/wiki/Apache2_Invalid_method_in_request_%5Cx16%5Cx03%5Cx01
I have tried change the virtual host to _default_:443 and *:443, but it still throws the same errors. There are no other VirtualHost directives in the httpd.conf file so i'm not sure how it is not resolving to that virtual host on 443. It was initially "www.mydomain.com:443" and then i tried it by "IP:443", but still same errors. Anyone happen to have any idea what is wrong with the setup or any pointers on how to proceed to troubleshoot it?
Ended up just using nginx. Was much easier to setup and get functioning as a reverse proxy.