I'm configuring my Apache server on RHEL5 with httpd 2.2.3. Users authenticate using a smartcard with several certificates, but we want to limit the choices to browser displays to a specific one. We've figured out how to do this by using SSLCADNRequestFile set to a .pem containing the intermediate chain of that specific type of certificate.
The problem is that we have multiple name-based virtualhosts defined on a single IP. It appears the Apache sends the response to the browser on which certificates it accepts based on the first vhost on that IP, even if the servername does not match. So unless I define SSLCADNRequestFile in the first vhost or at the server level, I cannot limit the certificate choices. Additionally, every other vhost is impacted by this setting.
Is there a way to use a name-based vhost and define the SSLCADNRequestFile per vhost? My configuration is a little different, so there could be other issues at play, below is roughly my config.
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/private.key
SSLCACertificateFile /etc/pki/tls/certs/root-certs.pem
SSLCADNRequestFile conf.d/certs-email-only.pem
SSLVerifyClient none
SSLVerifyDepth 2
SSLOptions +ExportCertData
DocumentRoot /var/www/mysite
ServerName www.mysite.com
DirectoryIndex main.html
ProxyPass /api/login ajp://localhost:8009/backend/login
ProxyPassReverse /api/login ajp://localhost:8009/backend/login
Alias /login /var/www/login
<Directory /var/www/login>
DirectoryIndex login.html
</Directory>
ProxyPass /logout ajp://localhost:8009/backend/logout
ProxyPassReverse /logout ajp://localhost:8009/backend/logout
<Location /api>
SSLVerifyClient require
ProxyPass ajp://localhost:8009/backend
ProxyPassReverse ajp://localhost:8009/backend
ProxyPassReverseCookiePath /backend /api
ProxyPassReverseCookieDomain localhost www.mysite.com
</Location>
</VirtualHost>
<VirtualHost *:443>
# VirtualHost impacted by the SSLCADNRequestFile in the above vhost
</VirtualHost>
Related
i have this Apache conf file below, but after reading alot, i simply have no clue how to make this to a openlitespeed conf file.
It uses reverse proxy, as i want to have a react site running.
Im using aaPanel, it does not support nodejs out of the box, but i now got it running, just cant connect to it (get a 403 forbidden page), but i think i "just" need this file converted.
Looking over documents, i fint no similarities to go out from, unless someone has a link for where i can read apache -> openlitesped so i can actually understand how to rewrite these lines.
<VirtualHost *:443>
ServerAdmin admin#site_name_dk
DocumentRoot "/www/wwwroot/mysite.dk"
ServerName 443.site_name_dk
ServerAlias mysite.dk
#errorDocument 404 /404.html
ErrorLog "/www/wwwlogs/site_name_dk-error_log"
CustomLog "/www/wwwlogs/site_name_dk-access_log" combined
#SSL
SSLEngine On
SSLCertificateFile /www/server/panel/vhost/cert/site_name_dk/fullchain.pem
SSLCertificateKeyFile /www/server/panel/vhost/cert/site_name_dk/privkey.pem
SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
#DENY FILES
<Files ~ (\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md|package.json|package-lock.json|\.env)$>
Order allow,deny
Deny from all
</Files>
#SSL
ProxyPass /.well-known/ !
# HTTP reverse proxy related settings begin >>>
<IfModule mod_proxy.c>
ProxyRequests Off
SSLProxyEngine on
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
</IfModule>
# End of HTTP reverse proxy related settings <<<
</VirtualHost>
There is also one for port 80, but only change is the port id, so that no problem.
So any help just getting started even would be appricitated.
I'm stuck with my Apache config
Situation
I have a Node chat web app and a phpmyadmin running on the same debian VPS server. Node runs on :3000 and phpmyadmin on :443.
The server base url on :443 is currently displaying phpmyadmin login page and the chat app can be accessed on IP:3000 (https)
Each have their own SSL cert and https is working without issues on both of them separately
Goal
What I'm trying to do is setup an Apache reverse proxy to forward requests from a a clean url (like chat.domain.com) to my Node app while keeping phpmyadmin on it's own dedicated subdomain (vps.domain.com).
like so :
internet (chat.domain.com on :443) -> reverse proxy -> node app running on :3000
internet (vps.domain.com on :443) -> reverse proxy -> phpmyadmin
Issue
Redirection does not work at all.
Firefox shows an error page with SSL_ERROR_RX_RECORD_TOO_LONG (ERR_SSL_PROTOCOL_ERROR on Chrome). As far as I understand it is telling me that I can't redirect to a service running on a different port than :443
I need secure https for both of my services (phpmadmin and chat) but can only run one of them on :443 since one is Apache and the other is Node. They each have their own routing system.
What I've considered
I'm not sure if what I'm trying to do is possible with Apache and this setup. I'd like to run my main app on :443 but then PMA would have to be moved to another port and. Alternatively I could run several servers for cleaner separation of services. I could also use Docker containers, but I don't think this should be necessary here.
Not sure which solution is the most appropriate. I just wanted to do some basic redirections.
Setup config :
Including relevant information about my config in this section.
Apache version : Apache/2.4.53 (Debian)
rewrite and proxy mods are enabled
apachectl configtest -> Syntax OK
vHosts :
default http -> https redirection
# 000-default.conf
VirtualHost *:80>
ServerName default.domain.me
Redirect / https://localhost:443
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
reverse proxy vhost
# reverse_proxy.conf
<VirtualHost chat.domain.me:443>
ServerName rproxy.domain.me
# ProxyPreserveHost On
ProxyRequests Off
# chat
ProxyPass / https://localhost:3000/
ProxyPassReverse / https://localhost:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
PMA vhost
# phpmyadmin.conf
<VirtualHost _default_:443>
ServerName phpmyadmin.domain.me
DocumentRoot /usr/share/phpmyadmin
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vps.domain.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vps.domain.me/privkey.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
# Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
Require all granted
# limit libapache2-mod-php to files and directories necessary by pma
<IfModule mod_php7.c>
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
</IfModule>
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
ErrorLog ${APACHE_LOG_DIR}/phpmyadmin/error.log
CustomLog ${APACHE_LOG_DIR}/phpmyadmin/access.log combined
</VirtualHost>
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite # don't know if secret. didn't include.
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Let me give you some possible solutions.
1)Changing the virtual host tag, ie, from <VirtualHost chat.domain.me:443> to <VirtualHost _default_:443>
2)setting the ports.conf file as follows
Listen 80
Listen 443 https
execute a2ensite default-ssl
Finally let me give you one of example that I have
ServerName abc.com
ServerAdmin webmaster#abc.com
<Proxy *>
Require all granted
</Proxy>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8181/
ProxyPassReverse / http://127.0.0.1:8181/
ErrorLog ${APACHE_LOG_DIR}/abc.com.error.log
CustomLog ${APACHE_LOG_DIR}/abc.com.access.log combined
SSLCertificateFile /etc/letsencrypt/live/abc.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/abc.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
I want to ProxyPass “/” and /sub-dir” to different target.
OK – putting two ProxyPass and ProxyPassReverse command in a block works.
But I need a different* SSLCertificateFile, SSLCertificateChainFile, SSLCertificateKeyFile, SSLVerifyClient and SSLCACertificateFile for each sub-directory.
Using SSLCertificateFile in a block is not allowed and when using two blocks (with ProxyPass sub-directory in the first one) “/” is not proxy passed (getting “certificate signed by unknown authority" error – when disabling the first block it works).
(* monitoring* is LetsEncrypt for a website, ca_user.crt=self signed is for general client authentication to the website, server_monitoring* and corresponding ca_monitoring.crt are for IOT devices = self signed)
<VirtualHost 0.0.0.0:443>
ServerName my-domain
ServerAlias www.my-domain
ProxyPass http://sub-dir http://target1:3000 retry=5 keepalive=on Timeout=3600
ProxyPassReverse http://sub-dir target1:3000
ProxyPass http://sub-dir2 http://target2:3000 retry=5 keepalive=on Timeout=3600
ProxyPassReverse http://sub-dir2 target2:3000
SSLCertificateFile conf/monitoring.crt
SSLCertificateKeyFile conf/monitoring.key
SSLVerifyClient on
SSLCACertificateFile conf/ca_user.crt
</VirtualHost>
<VirtualHost 0.0.0.0:443>
ServerName my-domain
ProxyPass / http://pushprox:8081/ retry=5
ProxyPassReverse / http://pushprox:8081/
SSLCertificateFile conf/server_monitoring.crt
SSLCertificateChainFile conf/ca_monitoring.crt
SSLCertificateKeyFile conf/server_monitoring.key
SSLVerifyClient on
SSLCACertificateFile conf/ca_monitoring.crt
</VirtualHost>
Because only the subdomain (SNI) and not he full URL is transmitted before the TLS handshake the server cannot decide which CA to use. Thus, it is impossible to use a dedicated CA per sub-dir.
With ALPN it would be possible - but the question was just about URL.
I'm trying to hide my Kallithea back-end server (which is useful to manage Git/Mercurial repositories) address by using an Apache rule. I have a URL redirect from https://sub.domain1.com/gitrepos to https://sub.domain2.com/.
Atm, when I try to access https://sub.domain1.com/gitrepos/path/to/repo, it redirects to https://sub.domain2.com/path/to/repo
I'm looking for a way to hide the second server address. I'd like to access to https://sub.domain1.com/gitrepos/path/to/repo without being explicitely redirected to https://sub.domain2.com/path/to/repo
I did some tries with Apache configuration but it is not working and I'm not sure if it is something that I can handle on the back-end server side or if this is something that can be handled on the server that actually redirects.
Here is my current configuration:
<VirtualHost *:80>
ServerName git-domain2.com
ServerAlias git-domain2
Redirect permanent / https://git-domain2.com/
</VirtualHost>
<VirtualHost *:443>
ServerName git-domain2.com
ServerAlias git-domain2
<Proxy *>
Require all granted
</Proxy>
ProxyPreserveHost On
ProxyPass /gitrepos http://domain2.com:5000/ connectiontimeout=20 timeout=300
ProxyPassReverse /gitrepos http://domain2.com:5000/
#kallithea instance
ProxyPass / http://domain2.com:5000/ connectiontimeout=20 timeout=300
ProxyPassReverse / http://domain2.com:5000/
#to enable https use line below
SetEnvIf X-Url-Scheme https HTTPS=1
#LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/domain2.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.com.key
</VirtualHost>
Thanks for any help.
I have a virtual host in Apache that is giving me the fits. I am trying to point a secure external URL to a Maximo Java Virtual machine within our network via Apache.
Here is my virtual host from the conf file.
<VirtualHost 5.5.5.5:443>
ServerName maximolink.mydomain.com
SSLProxyEngine On
SSLEngine on
# Turn on SSL
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
# Path to DigiCert Certificate
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/certs/DigiCertCA.crt
# Path to gafoc certificate
SSLCertificateFile /etc/httpd/conf/ssl.crt/certs/star_gafoc_com.crt
# Path to SSL key generated during creation of CSR
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/maximolink.mydomain.com.key
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
EnableSendFile On
EnableMMAP On
RewriteEngine On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Turn on the proxy
ProxyPass / https://internalmaximoserver.mydomain.com:9451/
ProxyPassReverse / https://internalmaximoserver.mydomain.com:9451/
CustomLog /var/log/httpd/ssl-access.log combined
ErrorLog /var/log/httpd/ssl-error.log
<Location />
#ProxyPassReverse /
Order allow,deny
allow from all
</Location>
</VirtualHost>
The results are, I can go to When I go to :
https://maximolink.mydomain.com/maximo/
Some traffic begins to pass between the servers (images, html), but eventually the file paths begin to request and pass as
https://maximolink.mydomain.com:9451/maximo/-- I am not sure how to stop the 9451 from being attached to the URL during the passing of the traffic.
Okay I had to adjust the conf file by having it listen on 9451 and set a named virtual host. Here is the updated code:
`
Listen 9451
NameVirtualHost 5.5.5.5:9451
<VirtualHost 5.5.5.5:443 5.5.5.5:9451>
ServerName maximolink.mydomain.com
SSLProxyEngine On
SSLEngine on
# Turn on SSL
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
# Path to DigiCert Certificate
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/certs/DigiCertCA.crt
# Path to gafoc certificate
SSLCertificateFile /etc/httpd/conf/ssl.crt/certs/star_gafoc_com.crt
# Path to SSL key generated during creation of CSR
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/maximolink.mydomain.com.key
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
EnableSendFile On
EnableMMAP On
RewriteEngine On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Turn on the proxy
ProxyPass / https://internalmaximoserver.mydomain.com:9451/
CustomLog /var/log/httpd/ssl-access.log combined
ErrorLog /var/log/httpd/ssl-error.log
<Location />
ProxyPassReverse /
Order allow,deny
allow from all
</Location>
</VirtualHost>
`
This seems to work. Good Luck!