I'm having some problems with caching images on my web app. The images are cached after refreshing, but when I reopen the browser it's not cached anymore. I'm using HTTPS, but I'm not sure it's the problem. This is the response from the server:
Response Headers
Accept-Ranges: bytes
Cache-Control: public
Connection: close
Content-Length: 3711
Content-Type: image/png
Date: Mon, 21 May 2012 14:08:46 GMT
ETag: "446b5-e7f-4c0559b8c1c9f"
Expires: Wed, 20 Jun 2012 14:08:46 GMT
Last-Modified: Fri, 18 May 2012 20:43:41 GMT
Server: Apache/2.2.22 (Amazon)
And our httpd.conf
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
ServerName [REMOVED]
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName [REMOVED]
#Force image type
AddType image/png .png
AddType image/jpeg jpeg jpg jpe
AddType font/x-woff .woff
#Cache
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(png|jpg|jpeg|gif)$">
ExpiresDefault "access plus 1 month"
Header set Cache-Control "public"
</FilesMatch>
#Logs
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
#SSL
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile [REMOVED]
SSLCertificateKeyFile [REMOVED]
SSLCertificateChainFile [REMOVED]
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#Proxy
DocumentRoot [REMOVED]
ProxyPreserveHost On
ProxyRequests Off
ProxyPass [REMOVED] http://localhost:8081/[REMOVED]
ProxyPassReverse [REMOVED] http://localhost:8081/[REMOVED]
ProxyPassReverseCookiePath [REMOVED] /
Alias [REMOVED] [REMOVED]
</VirtualHost>
Any clue? Thanks!
The headers are fine. Cache-Control: public and future Expires should do the job.
It seems like it's the browser's decision not to store the cache permanently (that kind of paranoia about HTTPS data is typical), and I don't think you can do anything about that.
Related
I'm trying to configure apache2 for a specific use case. An old web server only runs in HTTP on port 8788. I want to put it behind an apache reverse-proxy (Debian) which will ensure the encryption of exchanges with the client and will make requests to the web server in HTTP/port 8788.
The reverse proxy already works for other web servers and i changed the DNS for oldserver.example.com to point to the reverse-proxy IP address.
Connections to http://oldserver.example.com and https://oldserver.example.com work correctly and display the old server's web page.
But when I try to access http://oldserver.example.com:8788 (I have to keep this access via port 8788 because the link has been posted like this for years) the browser redirects to https://oldserver.example.com:8788 and shows this error:
Secure Connection Failed
In the configuration files and logs below, I replaced the reverse proxy IP address with X.X.X.X; the IP address of the oldserver by Y.Y.Y.Y and the IP addresses of the clients by Z.Z.Z.Z.
When I try with wget, everything seems OK:
wget -v http://oldserver.example.com:8788
--2022-09-14 14:36:15-- http://oldserver.example.com:8788/
Resolving oldserver.example.com (oldserver.example.com)... X.X.X.X
Connecting to oldserver.example.com (oldserver.example.com)|X.X.X.X|:8788... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://oldserver.example.com/ [following]
--2022-09-14 14:36:15-- https://oldserver.example.com/
Connecting to oldserver.example.com (oldserver.example.com)|X.X.X.X|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11628 (11K) [text/html]
Saving to: 'index.html'
index.html.3 100%[=================================================================================================================>] 11.36K --.-KB/s in 0s
2022-09-14 14:36:15 (42.0 MB/s) - 'index.html' saved [11628/11628]
Configuration files
/etc/apache2/sites-available/oldserver.conf :
<VirtualHost *:80 *:8788>
ServerName oldserver.example.com
include /etc/apache2/xyz/general.conf
include /etc/apache2/xyz/redirect-ssl.conf
ErrorLog ${APACHE_LOG_DIR}/error_oldserver.log
CustomLog ${APACHE_LOG_DIR}/access_oldserver.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName oldserver.example.com
ErrorLog ${APACHE_LOG_DIR}/error_oldserver.log
CustomLog ${APACHE_LOG_DIR}/access_oldserver.log combined
include /etc/apache2/xyz/general.conf
include /etc/apache2/xyz/ssl.conf
include /etc/apache2/xyz/revproxy.conf
ProxyPass / http://Y.Y.Y.Y:8788/
ProxyPassreverse / http://Y.Y.Y.Y:8788/
</Virtualhost>
</IfModule>
/etc/apache2/xyz/general.conf :
ServerAdmin system#example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Protocols h2 http/1.1
DocumentRoot /var/www/html
ErrorDocument 500 https://reverseproxy.example.com/
ErrorDocument 503 https://reverseproxy.example.com/
/etc/apache2/xyz/redirect-ssl.conf :
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
/etc/apache2/xyz/revproxy.conf :
ProxyPreserveHost On
ProxyRequests Off
SSLProxyEngine on
/etc/apache2/xyz/ssl.conf:
#####▒| SSL #####
SSLEngine on
Header always set Strict-Transport-Security "max-age=15768000"
SSLCertificateFile /etc/ssl/wildcard.example.com.crt
SSLCertificateKeyFile /etc/ssl/wildcard.example.com.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Logs
Strangely, on the reverse proxy, I have nothing in the /var/log/apache2/error_oldserver.log file but I find traces of the connections in the /var/log/apache2/error.log file:
error.log:[Wed Sep 14 14:43:53.497291 2022] [proxy_http:error] [pid 36806:tid 139808714381056] (20014)Internal error (specific information not available): [client Z.Z.Z.Z:51225] AH01102: error reading status line from remote server Y.Y.Y.Y:8788, referer: https://oldserver.example.com/
I don't have access to the logs of the oldserver.
Thank you in advance for your help.
Add new block with port *:8788 in the same virtual host and add LISTEN 8788 in the same block in virtual host file. And port should be opened from Security Group.
<VirtualHost *:443>
ServerName oldserver.example.com
DocumentRoot /var/www/oldserver.example.com/public
<Directory /var/www/oldserver.example.com>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/www/oldserver.example.com/error.log
CustomLog /var/www/oldserver.example.com/access.log combined
SSLEngine on
SSLCertificateKeyFile /SSL Certificate path/xxx.pem
SSLCertificateFile /SSL Certificate path/xxx.pem
SSLCertificateChainFile /SSL Certificate path/xxx.pem
</VirtualHost>
LISTEN 8788
<VirtualHost *:8788>
ServerName oldserver.example.com
DocumentRoot /var/www/oldserver.example.com/public
<Directory /var/www/oldserver.example.com>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLEngine on
SSLCertificateKeyFile /SSL Certificate path/xxx.pem
SSLCertificateFile /SSL Certificate path/xxx.pem
SSLCertificateChainFile /SSL Certificate path/xxx.pem
</VirtualHost>
I use reverse proxy to show backend server content for a subdomain.
The subdomain.mydomain.com (server A) should display content of server with IP 123.123.123.123 port 1111 (server B).
Virtual host of subdomain.mydomain.com (server A):
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subdomain.mydomain.com
SSLEngine on
SecAuditEngine On
RewriteEngine On
SSLProxyEngine on
ProxyPreserveHost On
LogLevel warn
<Directory />
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Location />
ProxyPass https://123.123.123.123:1111
ProxyPassReverse https://123.123.123.123:1111
</Location>
ErrorLog /var/log/apache2/error.log
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCertificateFile /etc/apache2/cert.site/chain_wildcard_site_combined.crt
SSLCertificateKeyFile /etc/apache2/cert.site/key_wildcard_site.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
Virtual host of 123.123.123.123:1111 (server B):
<IfModule mod_ssl.c>
<VirtualHost 123.123.123.123:1111>
DocumentRoot /srv/www/site/htdocs
SSLEngine on
RewriteEngine On
SSLProxyEngine on
ProxyPreserveHost On
LogLevel warn
<Location "/">
Require ip 222.222.222.222
</Location>
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /srv/www/site/htdocs>
Options -Indexes +FollowSymLinks +MultiViews
DirectoryIndex index.php
AllowOverride None
Require all granted
</Directory>
ErrorLog /srv/www/site/log/error.log
CustomLog /srv/www/site/log/access.log combined
CustomLog /srv/www/site/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCertificateFile /etc/apache2/cert.site/chain_wildcard_site_combined.crt
SSLCertificateKeyFile /etc/apache2/cert.site/key_wildcard_site.key
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
If I load URL:
https://subdomain.mydomain.com/dir/
it loads successfully.
If I load URL (without trailing slash):
https://subdomain.mydomain.com/dir
it results error page: ERR_CONNECTION_REFUSED.
EDIT1:
I execute command:
curl -IL https://subdomain.mydomain.com/dir
and I get this result:
HTTP/1.1 301 Moved Permanently
Date: Mon, 23 Aug 2021 13:45:13 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains
Strict-Transport-Security: max-age=15768000; includeSubDomains
Location: https://subdomain.mydomain.com:1111/dir/
Content-Type: text/html; charset=iso-8859-1
curl: (7) Failed to connect to subdomain.mydomain.com port 1111: Connection refused
EDIT2:
I added trailing slash
<Location />
ProxyPass https://123.123.123.123:1111/
ProxyPassReverse https://123.123.123.123:1111/
</Location>
But I still get the Connection refused error.
Any idea why is it resulting error, when trailing slash is missing?
Thanks!
Since you used ProxyPreserveHost ON, your ProxyPassReverse should be ProxyPassReverse https://subdomain.mydomain.com:1111/ because this is the Location: header your backend is producing that you need the frontend to fixup.
The backend unfortunately sees no port in the Host: header and picks the port of the local connection. It is a problem that only happens when the default port is used on the frontend + ProxyPreserveHost. ServerName with an explicit port :443 might help on the backend.
You cannot use port 1111 for SSL - it MUST be 443 (modern certificates and CORS do not work or accept different ports)
I am setting up my personal domain and I have this config:
ServerAdmin contact#brentc.in
Listen 80
<VirtualHost *:80>
DocumentRoot "/www/brentc.in"
ServerName brentc.in
ServerAlias www.brentc.in
</VirtualHost>
Listen 443 https
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/opt/rh/httpd24/root/var/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
ServerName brentc.in
ServerAlias www.brentc.in
DocumentRoot /www/brentc.in/
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/brentc.in/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/brentc.in/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/brentc.in/fullchain.pem
</VirtualHost>
<VirtualHost *:443>
ServerName atlassian.brentc.in
ServerAlias www.atlassian.brentc.in
DocumentRoot /www/atlassian.brentc.in/
Options Indexes FollowSymLinks Includes ExecCGI
SSLProtocol all -SSLv2
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /jira/secure/admin/IntegrityChecker.jspa http://localhost:8081/jira/secure/admin/IntegrityChecker.jspa timeout=3600
ProxyPassReverse /jira/secure/admin/IntegrityChecker.jspa http://localhost:8081/jira/secure/admin/IntegrityChecker.jspa
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/brentc.in/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/brentc.in/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/brentc.in/fullchain.pem
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /jira>
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
ProxyPass http://localhost:8081/jira retry=0
ProxyPassReverse http://localhost:8081/jira
SetOutputFilter DEFLATE
</Location>
</VirtualHost>
For the first domain (brentc.in) I can access index.html just fine.
For the second domain (atlassian.brentc.in) it shows the apache sample (test 123) page and when I explicitly go to index.html it says I'm not allowed to access the file.
My file permissions are exactly the same as the working index.html. Am I missing something here?
The atlassian.brentc.in is also a proxy to a behind the scenes tomcat server. My intention is, when you go to atlassian.brentc.in it shows you a landing page. Then from there you can go to atlassian.brentc.in/jira.
The error_log contains this:
[Wed Jun 14 10:43:47.714099 2017] [authz_core:error] [pid 4399] [client <ip>:58299] AH01630: client denied by server configuration: /www/atlassian.brentc.in/index.html
[Wed Jun 14 10:43:47.952670 2017] [authz_core:error] [pid 4399] [client <ip>:58299] AH01630: client denied by server configuration: /www/atlassian.brentc.in/favicon.ico, referer: https://atlassian.brentc.in/index.html
i think you need to add something like this
<Directory "your/sample/directory">
# AllowOverride All # Deprecated
# Order Allow,Deny # Deprecated
# Allow from all # Deprecated
# --New way of doing it this is the important part
Require all granted
</Directory>
I've tried many tutorials how to enable http2 on apache server; e.g.:
http://pixelinc.co/ubuntu-14-04-3-apache-http-2-web-server-setup/
https://www.gatherdigital.co.uk/community/post/how-to-setup-http-2-support/41
https://icing.github.io/mod_h2/howto.html
https://www.youtube.com/watch?v=8OM_eqRAsMM
etc...
But without success.
Here is my configuration:
$ apache2 -v
Server version: Apache/2.4.23 (Ubuntu)
$ apachectl -M
Loaded Modules:
...
http2_module (shared)
...
ssl_module (shared)
...
Here is my /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin info#example.net
DocumentRoot /var/www/html
ServerName example.net
ServerAlias www.example.net
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/$1
Protocols h2 http/1.1
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
When I'm trying load my page (https://example.net) in chrome, I can see this response header:
HTTP/1.1 200 OK
Date: Tue, 09 Aug 2016 12:05:08 GMT
Server: Apache/2.4.23 (Ubuntu)
Upgrade: h2
Connection: Upgrade, Keep-Alive
Last-Modified: Thu, 30 Jun 2016 14:22:30 GMT
ETag: "b18-5367f99a49580-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 538
Keep-Alive: timeout=5, max=100
Content-Type: text/html
Am I Missing something? Can you give me any hints?
Define "doesn't work". I see the upgrade header so looks good to me.
I suspect a problem with HTTPS setup.
Either you're in openssl 1.0.1 and using Chrome (which requires openssl 1.0.2 for ALPN support). Check it in Firefox or Opera to confirm.
Or 2 you're using older ciphers which are blacklisted under http/2. Add the following config to force decent HTTPS config where possible:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+AES128:EECDH+AES256:+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RSA+3DES:!DSS"
Update Ubuntu 14.04 to 16.04 did it!
Have you added Protocols h2 h2c http/1.1 to /etc/apache2/apache2.conf ?
This have worked for me.
Before it was only in the sites-enabled conf.
I have an owncloud setup, and Im trying to make a permanent http redirection to https.
Well my https conf works just fine when i type https://sub.domain.com.
But http://sub.domain.com redirects to debian apache default page.
Im also trying to achieve a proper Strict-Transport-Security HTTP header configuration.
My setup is:
<VirtualHost *:80>
ServerAdmin info#domain.com
ServerName sub.domain.com
ServerAlias www.sub.domain.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
ErrorLog /var/www/owncloud/error.log
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin info#domain.com
ServerName sub.domain:443
DocumentRoot /var/www/owncloud/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/cloud/sub.domain.com.crt
SSLCertificateKeyFile /etc/ssl/cloud/sub.domain.com.key
SSLCertificateChainFile /etc/ssl/cloud/sub.domain.com.ca-bundle
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
The solution was instead of *:80 on the first line, to use sub.domain.com:80.