LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Clients cannot connect to Apache when using HTTPS to view web pages. (http://www.linuxquestions.org/questions/linux-server-73/clients-cannot-connect-to-apache-when-using-https-to-view-web-pages-729762/)

mehoggan 06-01-2009 12:44 AM

Clients cannot connect to Apache when using HTTPS to view web pages.
 
Hello all this is my first post so please take it easy on me. I will try to include all the necessary information, if I leave anything out or include to much please let me know.

I am running an Apache (vs. 2.2.3-22.el5_3.1.i386), Openssl (vs. 0.9.8e-7.el5.i386) and I have downloaded and installed mod_ssl (vs. 2.2.3-22-el5_3.1.i386)


So here is my problem, I have configured Apache, and SSL (I also have PHP, and MySQL configured). I can start Apache using
# /etc/init.d/httpd start
OR
# service httpd start

If you would like to see that my website is up and running please visit http://www.geoginfo.com to see that Apache is working.

About a week ago I started to configure Apache to work with SSL so that I could get people to submit encrypted data to my server via a form that I created, and you can see by going to http://geoginfo.com/memberform.php.

My problem is if you try to access those web pages (above) via HTTPS by typing https://geoginfo.com for the URL then you will get an an Error: 104 (Error Connection Failed)

However, I can connect to that web page on the server (local host) using HTTPS.

I am not sure if this has more to do with Apache or Certificates. Anyways, presently I have no errors being generated in my log files so asking me to post error would not help. I have a clean working installation of apache configured almost the way I want it.

Below is my httpd.conf file
### Section 1: General Settings
Include conf.d/*.conf

ServerTokens OS
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Listen 192.168.1.1:80
Listen 192.168.1.1:443

<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>

<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>

### Section 2: Main Settings
#Apache Directives
User apache
Group apache
AddType application/x-httpd-php .php .php4 .php5#.html .htm
AddHandler php5-script .php
TypesConfig /etc/mime.types
DefaultType text/plain
AddDefaultCharset ISO-8859-1
LogLevel warn

#SSL Directives
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLPassPhraseDialog builtin
SSLMutex default
SSLCryptoDevice builtin

### Section 3: Virtual Hosts
NameVirtualHost 192.168.1.1:80

<VirtualHost www.geoginfo.com:80>
ServerAdmin mehoggan@gmail.com
ServerName www.geoginfo.com:80
DocumentRoot "/mnt/data/geoginfo"
DirectoryIndex index.html index.php
ErrorLog logs/error_log

<Directory />
Options Indexes FollowSymLinks
AllowOverride None
</Directory>

<Directory "/mnt/data/geoginfo">
Options Indexes FollowSymLinks

AllowOverride AuthConfig FileInfo
#AllowOverride None
Order allow,deny
Allow from all
</Directory>

AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
</VirtualHost>

NameVirtualHost 192.168.1.1:443

<VirtualHost www.geoginfo.com:443>

ServerAdmin mehoggan@gmail.com
ServerName www.geoginfo.com:443

DocumentRoot "/mnt/data/geoginfo"
DirectoryIndex index.html index.php

<Directory />
Options Indexes FollowSymLinks
AllowOverride None
SSLRequireSSL
</Directory>

<Directory "/mnt/data/geoginfo">
Options Indexes FollowSymLinks
AllowOverride AuthConfig FileInfo
Order allow,deny
Allow from all
</Directory>

AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# SSL Configuration Part
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLOptions +StrictRequire

SSLProtocol all +SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>

Issuing the command:
# netstat -tna produces:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:443 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:607 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:43391 192.168.1.3:445 ESTABLISHED
tcp 0 0 192.168.1.1:43734 74.125.19.19:80 ESTABLISHED
tcp 0 0 192.168.1.1:57266 74.125.19.19:80 ESTABLISHED
tcp 0 0 :::22 :::* LISTEN

I copied the original certs from /etc/pki/tls/certs which were generated when I used #yum to install ssl into the desired directory which is specified in my httpd.conf file above.

Off the top of my head I can't think of anything else that might help others help me.

So to sum things up, I have a working version of apache running. Clients and localhost can access my server's web pages using HTTP. However, when clients try and access my server's web pages using HTTPS the get an error 104 in the browser. However, i can access my web pages via HTTPS using local host on the server its self. I personally believe that it has something to do with certs and keys and ssl, however I am unsure. Please help.

Matthew Hoggan
mehoggan@gmail.com

anomie 06-01-2009 12:57 PM

Something is fundamentally wrong with this picture. 192.168.1.0/24 is a private network. (Read: not routable across the 'net.)

A little investigation reveals:
Code:

%host www.geoginfo.com
www.geoginfo.com has address 99.11.223.198

%nc -zvw 1 99.11.223.198 80
Connection to 99.11.223.198 80 port [tcp/http] succeeded!

%nc -zvw 1 99.11.223.198 443
nc: connect to 99.11.223.198 port 443 (tcp) failed: Connection refused

So:
  • someone is providing NAT for your web server;
  • the NAT device is forwarding tcp 80 traffic to your host;
  • the NAT device is blocking tcp 443 traffic altogether.

Contact your hosting provider (or network admin) to request that tcp 443 connections to 99.11.223.198 are forwarded to your host. That's the glaring problem so far.

mehoggan 06-01-2009 03:10 PM

Derr... Thank you for your help, sometimes I can be so closed minded. I forgot to port foward on my router on port 443. That explains everything.


All times are GMT -5. The time now is 10:04 AM.