Apache2 is redirecting to https - ssl

I installed SSL (stupidly) to encrypt the data being sent, the only trouble was my subdomain was redirecting to my main. I changed my default virtual host back to the original settings and also typed a2dismod ssl. Now when ever I type in www.domain.com it redirects to https://www.domain.com and then says SSL Connection Error.
I'm hoping to either get SSL working on the main+sub or just remove completely. Has anyone got any idea why it's redirecting to Https?
My VirtualHosts file is:
<VirtualHost *:80>
ServerName www.domain.com
DocumentRoot /var/www/folder
#SSLEngine on
#SSLCertificationFile /etc/apache2/ssl/apache.crt
#SSLCertificationKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>
<VirtualHost *:80>
ServerName sub.domain.com
DocumentRoot /var/www/sub
#SSLEngine on
#SSLCertificationFile /etc/apache2/ssl/apache.crt
#SSLCertificationKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>
Now if I un-comment the lines with # on and change *:80 to *:443 it redirects to the main site with SSL enabled...

You are enabling mod_ssl (with the "SSLEngine on" directive) on a HTTP Virtual Host on TCP/80. You need to set up different Virtual Hosts bound to the TCP/443 port, on only enable mod_ssl on these.
Otherwise, mod_ssl expect an HTTPS connection on port 80 and, seeing that your browser is speaking HTTP, tries to redirect the browser to https://www.domain.com.

Related

What is the correct way of having apache redirect to https AND tomcat (port 8080) at the same time

I know similar questions have been asked a lot already, and I feel like I read all of them 12 times. Every time the answer is slightly different, and I tried virtually all combinations, but still cannot get it to work...
So, I have an Apache and a Tomcat running in a Freenas Jail (so running FreeBSD). I used Certbot to get an SSL certificate for my domain. Lets call that example.com. In my router, I opened ports 80 and 443.
Now, I want users to just enter either 'www.example.com' or 'example.com' in their browser, and land on 'https://www.example.com' and port 8080.
I found that to accomplish this, I need to configure my apache Virtual Hosts file. However, as I said, I found many different things to put in there, and none of them seem to be exactly the right ones. Here is what I have now:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
# ProxyPreserveHost On
# ProxyRequests Off
# ProxyPass / http://localhost:8080/
# ProxyPassReverse / http://localhost:8080/
# Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /usr/local/etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /usr/local/etc/letsencrypt/live/example.com/chain.pem
ServerName www.example.com
ServerAlias example.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
I also added this into the Tomcat server.xml:
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8080"
proxyName="www.example.com"
proxyPort="80"/>
So, my questions are these:
Does it matter which one has www, ServerName or ServerAlias? Because I've seen both.-
Should I have Apache listen on port 80 or 433?
How can I verify if Apache and tomcat are listening on the right ports? Before, I had this in a CentOS VPS, and there it was with 'netstat -tulpn'. (I didnt have SSL yet back then)
At one point, I had it almost working: entering example.com was properly redirected to https://www.example.com/ on port 8080 because I reached the website runnning in Tomcat. If I removed then the 's' in the URL, it did not redirect to https again. Also, I should have saved that exact config because I cannot find it back...
I will be so thankful for any answer I get. Thanks a lot in advance.
Reygok
Let's go through your questions:
Does it matter which one has www, ServerName or ServerAlias?
Use in server name the canonical hostname, in alias aliases pointing to your CNAME. Choose which name you want to advertise to the users.
Should I have Apache listen on port 80 or 443?
You must do both because Let's Encrypt requires port 80 to be open, so HTTPd has to do Listen *:80 and Listen *:443.
How can I verify if Apache and tomcat are listening on the right ports?
FreeBSD magic: sockstat -46
Now to your setup:
Assumptions: HTTPd and Tomcat run on the same host and Tomcat listens on localhost.
Tomcat's server.xml:
<Connector address="localhost" port="8080" redirectPort="443" ... />
I never needed the proxy* attributes, just used this in the <Host />:
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
the access log valve will require: requestAttributesEnabled="true"
HTTPd:
<VirtualHost *:80>
Redirect permanent / https://{hostname}/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
In your web.xml you set to have Tomcat to redirect to HTTP to HTTPS: http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/securityConfiguration/modifyingWebxmlEnableHTTPS.htm

apache redirects automatically to https when virtualhost is configured on port 80

I have one apache server with one SSL-certificate installed, and I set up these virtualhosts in the httpd.conf
<VirtualHost *:80>
ServerName subdomanin.DOMAIN_A.com
DocumentRoot "/var/www/html/XXXXXXXXXXXXXXXXXXXXXXXX"
</VirtualHost>
<VirtualHost *:443>
ServerName DOMAIN_A.com
DocumentRoot "/var/www/html/XXXXXXXXXXXXXXXXXXXXXXXX"
SSLEngine on
SSLCertificateKeyFile XXXXXXXXXXXXXXXXXXXXXXXX
SSLCertificateFile XXXXXXXXXXXXXXXXXXXXXXXX
SSLCertificateChainFile XXXXXXXXXXXXXXXXXXXXXXXX
</VirtualHost>
Everytime I try to reach http://subdomain.DOMAIN_A.com with my browser, it redirects me to port 443, with https before the address. The certificate doesn't work with the subdomain and I receive an error.
I don't understand how to access the subdomain on port 80 by default and not be redirected on port 443.
Kindly confirm whether there is any virtual host entry of subdomanin.DOMAIN_A.com in SSL.conf If there is any then you have to remove it and restart the services
You can test the following:
1- Try to set different documentRoot
2- Restart apache2
3- Clear browsing cache
4- Look at apache log file if there is any error

Error redirect domain with https to another domain

I can not redirect from one domain to another if there is https in the url.
That is, I have to handle all the requests made on the domain http://www.mywebsite1.net that must be reindered to the domain https://www.mywebsite2.com
With this I manage it safely via htaccess with this code:
RewriteEngine on
RewriteRule ^(.*)$ https://www.mywebsite2.com/$1 [R=301,L]
The problem is that if an url arrives with this https://www.mywebsite1.net error page
NET :: ERR_CERT_COMMON_NAME_INVALID
because the SSL certificate is no longer installed on the old domain. So how do I handle this problem?
I hope I was clear enough.
Thank you
Take a look into SNI, Server Name Indication. If the browser supports it, you can create VHosts according to youre needs (Details: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI)
# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
DocumentRoot /www/example1
ServerName www.mywebsite1.net
# Other directives here
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /www/example2
ServerName www.mywebsite2.com
# Other directives here
</VirtualHost>
All modern browsers support this feature. If they don't, you're stuck, since the HTTP-Header Part is encrypted, there is no way to choose the correct vhost early enough.

Debian 8 - SSL Certificate is not working

I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.

Two Security Certificates on a Single IP with Apache's mod_gnutls

My understanding is there is a problem with having multiple certificates on a single IP as SSL is negotiated before HTTP happens, however what we can do is Service Name Indication (SNI) in TLS to get around this. According to the SNI wikipedia page both Apache 2 modules mod_ssl and mod_gnutls support this extension and also numerous web clients.
I have been trying to use mod_gnutls on centos 5. I have two separate certificates for two domains but only 1 IP. Each works independently but when I put both into the config at once only the first will work. Any https connection on domain2 shows domain1's certificate.
My config looks like this:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.domain1.com
ServerAlias www.domain1.com
DocumentRoot /var/www/html/domain1
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/www.domain1.crt
GnuTLSKeyFile /etc/pki/tls/domain1/private.key
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/domain2
ServerName www.domain2.com
ServerAlias www.domain2.com
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/domain2.crt
GnuTLSKeyFile /etc/pki/tls/domain2/private.key
</VirtualHost>
Any ideas? Really been scratching my head over this.
Many thanks