Hi all -

I'm trying to set up a new web server under Debian unstable, using Apache 2.0.54. There are no virtual hosts, only the single, default host. I need http: on port 80 and https: on port 443. Certificate and key files are set up and referenced correctly in /etc/apache2/mods-available/ssl.conf (and the symlink exists to this file in /etc/apache2/mods-enabled).

Right now, it's only speaking SSL on *both* ports 80 and 443.

If I try to access it on port 80 via plain http: (http://yoda.malibyte.net *or* http://yoda.malibyte.net:80), I get:


Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Hint: https://yoda.malibyte.net/

Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.0.54 OpenSSL/0.9.7g Server at yoda.malibyte.net Port 443


So, http: requests are getting routed to port 443, which is obviously speaking SSL (as it should - but why are http: requests getting sent there?).

If I try speaking SSL on port 80 (https://yoda.malibyte.net:80) - the request goes through and I get the box asking me if I want to accept the certificate (and if I do, it serves up the page). This also works correctly on port 443 (https://yoda.malibyte.net).


Here are the config files:

/etc/apache2/sites-available/mod-default:

Listen 80
ServerAdmin adm@malibyte.net
ServerName yoda.malibyte.net
DocumentRoot "/var/www/html/"
<Directory />
Options FollowSymLinks
AllowOverride None
AllowOverride Options FileInfo
</Directory>
<Directory "/var/www/html/">
Options Indexes FollowSymLinks MultiViews
# AllowOverride None
AllowOverride Options FileInfo
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
<Directory "/var/www/cgi-bin/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/log/apache2/access.log combined
ServerSignature On

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

A variation of this file with most of the above in a
<VirtualHost *>...</VirtualHost> construct didn't work any better.


And /etc/apache2/mods-available/ssl.conf:

<IfModule mod_ssl.c>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/apache2/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/apache2/ssl_mutex
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>

##
## SSL Host Context
##

DefaultType text/html
Listen 443

<VirtualHost _default_>
ServerName yoda.malibyte.net
ServerAdmin adm@malibyte.net
DocumentRoot "/var/www/html"

SSLEngine On

ErrorLog /var/log/apache2/ssl_error.log
TransferLog /var/log/apache2/ssl_access.log
SSLCertificateFile /etc/apache2/ssl/ssl.crt/xxxx.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl.key/xxxx.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

ScriptAlias /cgi-bin/ /var/www/cgi-bin/
<Directory "/var/www/cgi-bin/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
CustomLog /var/log/apache2/ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
DirectoryIndex index.php index.html
</VirtualHost>

I've Googled this and found a few similar, but not the same, issues; several involve the older Apache 1.3.xx - there are significant differences in the config files.

I'm not finding anything useful in the log files which would give me an idea as to what's up.

I'm sure I'm missing something simple here. If anyone could clue me in, I'd appreciate the help.

Thanks....Bob

Fixed. Why it didn't work last night has me scratching my head, but it
seems to be OK now.


>Subject: Re: SSL on port 80

>Robert:

>Very odd. When I had tried to add the ":443" to the virtual host
>construct last night, it kept on giving me syntax errors. Today it
>worked. Very strange. That was one to the first things I did, and it
>didn't work...but now it is. Hmmmm....I must have had something else
>out of whack as well. Anyway, thanks for getting me to try it again!

>Bob

>On Sat, 9 Jul 2005, Robert N. Waybright wrote:

>> Bob,
>> I am no great Apache guru, but it looks like you may have defined
>> your default virtual host to be SSL (note the SSLEngine On). Mine
>> has a host section plus a _default_:443 section that looks like this:
>>
>> <VirtualHost _default_:443>