LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-10-2014, 09:29 PM   #1
Galaxy_Stranger
Member
 
Registered: Oct 2003
Distribution: CentOS 6 and Fedora
Posts: 252

Rep: Reputation: 36
Apache 2.4.10 - Fedora 20 Virtualhost not accepting SSL


Hi.

I'm playing with Apache on Fedora 20, which comes with v2.4.10. I've got the server up and running just fine and the default site works with and without SSL.

Now, I want to set up a Virtualhost. This Virtualhost works fine. But when I go to set it up for SSL, I get no config errors or any feedback and the default site appears under https.

Here's my virtualhost:
http://pastebin.com/LQyMcq2d

Any ideas about what I'm doing wrong?

TIA.
 
Old 09-11-2014, 07:13 AM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by Galaxy_Stranger View Post
But when I go to set it up for SSL, I get no config errors or any feedback and the default site appears under https.
I'm confused. https://mysite.net works?
 
Old 09-11-2014, 04:05 PM   #3
Galaxy_Stranger
Member
 
Registered: Oct 2003
Distribution: CentOS 6 and Fedora
Posts: 252

Original Poster
Rep: Reputation: 36
Thanks for the reply!

Yes, https://mysite.net does work - but it doesn't go to https://mysite.net. It displays the default web page for the server. When I first installed apache, I commented out the contents of welcome.conf and made the default page /var/www/html/index.html.

I set up my certificate and tested this via url. At this point, both http://mysite.net and https://mysite.net both displayed /var/www/html/index.html.

Then, I added a line to the bottom of httpd.conf to include virtualhost files: IncludeOptional conf/*.vhost

and then created mysite.vhost in the conf directory. The pastebin link I posted is the contents of mysite.vhost. Then, I reloaded the config file - and even restarted the server several times just to be sure. Now, http://mysite.net hits the desired page. https://mysite.net hits /var/www/html/index.html.
 
Old 09-11-2014, 04:37 PM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by Galaxy_Stranger View Post
I set up my certificate and tested this via url. At this point, both http://mysite.net and https://mysite.net both displayed /var/www/html/index.html.
Why didn't you stop there?

And I guess it is resolved then?
I'm still confused, but that's nothing new.
 
Old 09-11-2014, 05:05 PM   #5
Galaxy_Stranger
Member
 
Registered: Oct 2003
Distribution: CentOS 6 and Fedora
Posts: 252

Original Poster
Rep: Reputation: 36
I didn't stop there because I'm going to have more virtualhosts. This isn't working the way I expect it to. The base page defined in httpd.conf should be separate from my first virtualhost. That's the problem.

Also, http://localhost should display /var/www/html/index.html. But it displays /web/mysite.

I set up httpd.conf to display /var/www/html/index.html. I confirmed that it did, even with SSL. Then, I wanted to add virtual hosts. It's not acting in any way like it should.

If I access http://localhost and https://localhost, it should display the contents of /var/www/html/. http://mysite.net and https://mysite.net should display /web/mysite/. This is not happening. I didn't have this problem with httpd 2.2.
 
Old 09-11-2014, 05:30 PM   #6
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,552

Rep: Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872
Quote:
The Problem

The problem with using named virtual hosts over SSL is that named virtual hosts rely on knowing what hostname is being requested, and the request can't be read until the SSL connection is established. The ordinary behavior, then, is that the SSL connection is set up using the configuration in the default virtual host for the address where the connection was received.

While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that's too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them.

And while it's possible to put multiple hostnames in a modern certificate and just use that one certificate in the default vhost, there are many hosting providers who are hosting far too many sites on a single address for that to be practical for them.
Quote:
As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks.

In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer. In certain specific circumstances, it is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. For example, this will work if:

All the VirtualHosts are within the same domain, eg: one.example.com and two.example.com.

You have a wildcard SSL certificate for that domain (one where the Common Name begins with an asterix: i.e *.example.com)
Have a look at:
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
https://wiki.apache.org/httpd/NameBasedSSLVHosts
http://httpd.apache.org/docs/current...aq.html#vhosts

Last edited by keefaz; 09-11-2014 at 05:33 PM.
 
Old 09-11-2014, 07:33 PM   #7
Galaxy_Stranger
Member
 
Registered: Oct 2003
Distribution: CentOS 6 and Fedora
Posts: 252

Original Poster
Rep: Reputation: 36
----

Last edited by Galaxy_Stranger; 09-11-2014 at 07:41 PM. Reason: answered too quickly
 
Old 09-11-2014, 08:14 PM   #8
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,552

Rep: Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872
Quote:
Originally Posted by Galaxy_Stranger View Post
Also, http://localhost should display /var/www/html/index.html. But it displays /web/mysite.

I set up httpd.conf to display /var/www/html/index.html. I confirmed that it did, even with SSL. Then, I wanted to add virtual hosts. It's not acting in any way like it should.

If I access http://localhost and https://localhost, it should display the contents of /var/www/html/. http://mysite.net and https://mysite.net should display /web/mysite/. This is not happening. I didn't have this problem with httpd 2.2.
When virtual hosts are set, httpd reads and matches them before the defined host in main config, see:
Quote:
A ServerName should be specified inside each <VirtualHost> block. If it is absent, the ServerName from the "main" server configuration will be inherited.

When a request is received, the server first maps it to the best matching <VirtualHost> based on the local IP address and port combination only. Non-wildcards have a higher precedence. If no match based on IP and port occurs at all, the "main" server configuration is used.

If multiple virtual hosts contain the best matching IP address and port, the server selects from these virtual hosts the best match based on the requested hostname. If no matching name-based virtual host is found, then the first listed virtual host that matched the IP address will be used. As a consequence, the first listed virtual host for a given IP address and port combination is default virtual host for that IP and port combination.
http://httpd.apache.org/docs/2.4/mod...ml#virtualhost

I too recall that this was different with previous apache versions

Last edited by keefaz; 09-11-2014 at 08:19 PM.
 
Old 09-11-2014, 09:19 PM   #9
Galaxy_Stranger
Member
 
Registered: Oct 2003
Distribution: CentOS 6 and Fedora
Posts: 252

Original Poster
Rep: Reputation: 36
Sorry - I replied too hastily and needed to go through all of those links with a fine-toothed comb. I had run across them before, but I figured they didn't apply to me because everything had worked before in Apache 2.2.

I still don't know what I'm doing wrong.

Ok, one step at a time. In http.conf, I have a line: "Listen *:80"
When I added "Listen *:443" and then restarted, apache wouldn't start. "systemctl -l status httpd.service" says "(98)Address already in use...could not bind to address [::]:443". When "Listen *:443" is removed - I can reach the base site in http.conf via https. I guess that is unrelated.

I've tried adding "SSLStrictSNIVHostCheck" on and off in httpd.conf and that didn't seem to change anything. I really don't know what I'm missing.
 
Old 09-12-2014, 03:43 AM   #10
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,552

Rep: Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872
One way to enable ssl on mysite.net virtual host could be to assign the IP and port in config, like (say your IP is 192.168.0.1
Code:
<VirtualHost 192.168.0.1:443>
        DocumentRoot /web/mysite
        ServerName mysite.net
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/server.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/server.key
</VirtualHost>
(I noticed you have the same value for serveralias as servername?)
 
Old 09-12-2014, 03:51 AM   #11
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,552

Rep: Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872
Quote:
Originally Posted by Galaxy_Stranger View Post

Ok, one step at a time. In http.conf, I have a line: "Listen *:80"
When I added "Listen *:443" and then restarted, apache wouldn't start. "systemctl -l status httpd.service" says "(98)Address already in use...could not bind to address [::]:443". When "Listen *:443" is removed - I can reach the base site in http.conf via https. I guess that is unrelated.
I don't think you can use wildcard for Listen directive
(didn't see this ability in apache docs)
You either set Listen to a specific port like "Listen 80" or one IP and port like "Listen 192.168.0.1:80"
When you added *:443 in main config, the virtual host with *:443 was set?

Quote:
Multiple Listen directives for the same ip address and port will result in an Address already in use error message.
http://httpd.apache.org/docs/current...on.html#listen

Last edited by keefaz; 09-12-2014 at 03:53 AM.
 
Old 09-13-2014, 06:50 PM   #12
Galaxy_Stranger
Member
 
Registered: Oct 2003
Distribution: CentOS 6 and Fedora
Posts: 252

Original Poster
Rep: Reputation: 36
This worked in 2.2 just fine... It certainly won't make it convenient if I ever have to change the IP address of that machine.
 
Old 10-28-2014, 12:00 AM   #13
Galaxy_Stranger
Member
 
Registered: Oct 2003
Distribution: CentOS 6 and Fedora
Posts: 252

Original Poster
Rep: Reputation: 36
[solved]

Ok, I've got it working. Sorry it took me so long to reply - real-life you know...

Anyway, it basically boiled down to virtualhost configuration. I haven't checked, but Centos 6.5 must be shipping with significantly newer versions of Apache. I had originally installed CentOS 6.2 on my old machine and got it up and running years ago and updated to 6.5 over time. Now, I'm installing 6.5 fresh - and there's probably where the problem was. I'm not exactly sure what the problem actually was, but I'll post my results in case it might help someone.

SNI is installed/configured/used by default. Just install PHP and mod_ssl and you're good to go. At this point, there have been some significant configuration syntax changes which broke my previous config file and vhost definitions. So, I started from scratch and added things in, one feature at a time.

First thing, I commented out welcome.conf. In http.conf, I left the default document root alone. Then, I added any ports to be listened to like so:
Code:
Listen 80
Since SSL is already installed and configured, port 443 does not need to be referenced here. Maybe someone more knowledgable knows just why. I also added ports for any IP virtual hosts I wanted to use. While troubleshooting, I set ServerName to "localhost". I don't know if this made any difference.

At the bottom of httpd.conf, I added the following lines:
Code:
NameVirtualHost *:80
NameVirtualHost *:443

SSLStrictSNIVhostCheck off
And finally, just to automatically add vhost files I dump in there:
Code:
Include conf/vhost_*
Now, comes the virtual host definitions. This definition includes using SSL:
Code:
<VirtualHost *:80>
    ServerAdmin blah@blah.blah
    DocumentRoot /mnt/site_files
    ServerName site.com
    ErrorDocument 404 /missing.php
    <Directory /mnt/site_files>
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin blah@blah.blah
    DocumentRoot /mnt/site_files
    ServerName site.com
    ErrorDocument 404 /missing.php
    <Directory /mnt/site_files>
    </Directory>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/site.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/site.key
</VirtualHost>
I've placed the virtual host definitions in their own files, so there's no other directives required above. Finally, this is what my IP virtual hosts look like:
Code:
<VirtualHost *:8080>
    ServerAdmin blah@blah.com
    DocumentRoot /mnt/stuff
    ServerName 192.168.1.5:8080
    <Directory /mnt/stuff>
    </Directory>
</VirtualHost>
Before, I had been getting all kind of binding errors and crap. Some of that was due to duplicate settings.

Anyway, I appreciate everyone's attempts to help out - enjoy.

Last edited by Galaxy_Stranger; 10-28-2014 at 12:01 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help needed to configure Bugzilla as VirtualHost on SSL with Apache snowweb Linux - Server 1 10-03-2012 10:59 PM
Apache2 VirtualHost and SSL Alfar Linux - Server 2 10-20-2007 01:10 AM
Apache, VirtualHost and SSL Mr_CHISOL Linux - Server 2 02-16-2007 03:59 PM
SSL Configuration on an Apache VirtualHost sancho5 *BSD 6 07-29-2002 08:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration