Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache2 direct IP configuration and weird behaviour |
|
| Author |
|
r00ter
Joined: 02 Aug 2021
Posts: 9
|
 Posted: Tue 03 Aug '21 17:23 Post subject: Apache2 direct IP configuration and weird behaviour |
 |
|
(I will refer my domain as example.com for privacy)
So I have my own personal website with HTTPS using Let's encrypt etc.
One thing I'd like to do with it however is to make connections connecting to the direct IP of it redirect to the domain.
One weird thing I have detected though is that if I connect to the website using the direct IP address with SSL (HTTPS, port 443) it goes to the DirectoryRoot of my normal website, example.com.
Connecting to it with HTTP/Port 80 just goes to the default /var/www/html/ though.
Does anyone know what is happening and what my problem is? If anybody needs to know or see a bit of my configuration just ask ofc. Thanks |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Tue 03 Aug '21 20:48 Post subject: |
|
|
| I guess there is a default vhost catching everything that is called without a domain name. |
|
| Back to top |
|
r00ter
Joined: 02 Aug 2021
Posts: 9
|
| Posted: Tue 03 Aug '21 21:39 Post subject: |
|
|
| And what would I do about it? |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Tue 03 Aug '21 23:05 Post subject: |
|
|
Without you posting your virtual host configurations we can only guess, but I'd suggest the following might help.
These two sample default virtual host definitions are for all non-secure and secure connections, and as James suggests they handle any requests that don't match any specific domain entry virtual host blocks further down the configuration.
Your secure virtual host may include a ServerName entry for your example.com site, rather than all secure sites.
In the non-secure example, I've used mod_rewrite to redirect any non-secure request to the equivalent secure site. You could change that rewrite rule to redirect to your secure example.com site should you wish.
| Code: | # Define default non-secure virtual host
#
<VirtualHost *:80>
# Inherit any global mod_rewrite rules
#
RewriteEngine On
RewriteOptions InheritBefore
# Redirect non-secure HTTP requests to HTTPS.
#
RewriteCond %{HTTPS} off
RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [L,NE,R=302]
</VirtualHost> |
In the secure virtual host, I've listed a rewrite rule and condition, that checks if the host header is an IPV4 address, and if so redirects you to a named secure site. This would only be required in a default virtual host, since in practice you can't have a digital certificate with an IP address in the common name field.
| Code: |
# Define default secure virtual host
#
<VirtualHost *:443>
# Inherit any global mod_rewrite rules
#
RewriteEngine On
RewriteOptions InheritBefore
# Enable SSL for this virtual host.
#
SSLEngine on
RewriteCond %{HTTP_HOST} ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$
RewriteRule (.*) https://example.com/$1 [L,NE,R=302]
# Other directives
</VirtualHost> |
These example uses of mod_rewrite might help you achieve what you want. |
|
| Back to top |
|
r00ter
Joined: 02 Aug 2021
Posts: 9
|
| Posted: Wed 04 Aug '21 11:02 Post subject: |
|
|
Hello, thanks for your reply; altough I am still quite unsure what to do. I have four config files, however, and here they are:
000-default.conf
| Code: | <VirtualHost *:80>
ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
DirectoryIndex index.php index.html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
|
default-ssl.conf
| Code: | <IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
|
example.com.conf
| Code: | <VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin master@example.com
DocumentRoot /var/www/example.com/public_html
<Directory /var/www/example.com/public_html>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
Redirect permanent / https://example.com/
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
|
And lastly: example.com-le-ssl.conf
| Code: | <IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin master@example.com
DocumentRoot /var/www/example.com/public_html
DirectoryIndex indexed-first-page650.php index.php index.html index.htm
<Directory /var/www/example.com/public_html>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/example.com/public_html/downloads>
Options +Indexes
</Directory>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
ErrorDocument 404 /resurser/status_pages/404.html
ErrorDocument 403 /resurser/status_pages/403.html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>
|
Do you see anything about this? And thank you |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Wed 04 Aug '21 18:24 Post subject: |
|
|
Ok, these config details help.
Looking at your original post, you want to redirect connection requests which are using an IP address, to your secure site domain (example.com for now). Can we also assume you don't want to serve any site content from your non-secure interface?
So the two non-secure virtual host defintions are similar in that they both have the character * (which acts as a wildcard and matches any IP address), and they both have the ServerName www.example.com. So assuming 000-default.conf file is read first, that's the one which will take precedence. Hence, your users get the default content from /var/www/html.
So I'd delete the example.conf file (or rename the conf extension so it's not read), and revise 000-default.conf to contain the following:
| Code: | # Define default non-secure virtual host
#
<VirtualHost *:80>
# Inherit any global mod_rewrite rules
#
RewriteEngine On
RewriteOptions InheritBefore
# Redirect non-secure HTTP requests to HTTPS.
#
RewriteCond %{HTTPS} off
RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [L,NE,R=302]
</VirtualHost> |
This will redirect all non-secure requests to the equivalent secure site. I wouldn't bother with the logging entries unless you really want to know who's connecting non-securely.
Next, the two secure virtual host defintions are also similar in that they both have the wildcard character too. So, I'd consider removing the default-ssl.conf file (or rename the conf extension so it's not read), not least of which the snake oil certificates (you're on Ubuntu, yes?) are self-signed, so browsers are going to complain about these anyway.
Then edit your remaining example.com-le-ssl.conf file to include a suitable redirect for connections that aren't using your preferred site names. You've listed ServerName example.com and ServerAlias www.example.com, so assume you've set up Server Alternative Name (SAN) entries in your Let's Encrypt certificate as well.
Here's a suitable rewrite rule, with two conditions for your sample domains, which I'd put near the top of your virtual host block (see https://httpd.apache.org/docs/current/mod/mod_rewrite.html for mod_rewrite details)
| Code: | RewriteCond %{HTTP_HOST} !^example.com$ [NC]
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^/(.*)$ https://example.com/$1 [L,NE,R=302] |
Let us know how you get on. |
|
| Back to top |
|
r00ter
Joined: 02 Aug 2021
Posts: 9
|
| Posted: Wed 04 Aug '21 22:43 Post subject: |
|
|
Hm, okay. So I did as you said. I removed those two configurations files and now I am only left with 000-default.conf and example.com-le-ssl.conf
At first, with 000-default, I changed
| Code: | | RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [L,NE,R=302] |
to
| Code: | | RewriteRule ^/(.*)$ https://example.com/$1 [L,NE,R=302] |
Because, with {%HTTP_HOST} it redirected me to the IP but with HTTPS, which is still a problem. Changing it to my actual domain though solved it, and all traffic/requests going to port 80 on my IP redirects now to the actual domain. Though as I said, It still doesn't work on connecting to the IP with HTTPS unfortunately and I am not entirely sure why :/
Here is the full remaining 000-default.conf and example.com-le-ssl.conf:
000-default.conf
| Code: | # Define default non-secure virtual host
#
<VirtualHost *:80>
# Inherit any global mod_rewrite rules
#
RewriteEngine On
RewriteOptions InheritBefore
# Redirect non-secure HTTP requests to HTTPS.
#
RewriteCond %{HTTPS} off
RewriteRule ^/(.*)$ https://example.com/$1 [L,NE,R=302]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
example.com-le-ssl.conf
| Code: | <IfModule mod_ssl.c>
<VirtualHost *:443>
RewriteCond %{HTTP_HOST} !^example.com$ [NC]
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^/(.*)$ https://example.com/$1 [L,NE,R=302]
ServerName example.com
ServerAlias www.example.com
ServerAdmin master@example.com
DocumentRoot /var/www/example.com/public_html
DirectoryIndex indexed-first-page650.php index.php index.html index.htm
<Directory /var/www/example.com/public_html>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/example.com/public_html/downloads>
Options +Indexes
</Directory>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
ErrorDocument 404 /resurser/status_pages/404.html
ErrorDocument 403 /resurser/status_pages/403.html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule> |
Thank you - I am on Debian (10) Buster by the way. |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Thu 05 Aug '21 13:36 Post subject: |
|
|
When you say:
| r00ter wrote: | | It still doesn't work on connecting to the IP with HTTPS unfortunately and I am not entirely sure why :/ |
What exactly do you mean?
Do you mean a client connecting with https://example.com doesn't work, or what?
What if any response does the client browser get (check with SHIFT+CONTROL+I)?
What if any error messages are logged by Apache? |
|
| Back to top |
|
r00ter
Joined: 02 Aug 2021
Posts: 9
|
| Posted: Thu 05 Aug '21 19:26 Post subject: |
|
|
Sorry if I am unclair, this is what I mean:
If I connect directly to the IP with port 80 (HTTP) I get redirected to port 443 of example.com, the HTTPS version of example.com, same with if I connect to example.com with port 80 (HTTP), it redirects me to HTTPS example.com.
But if I connect to the IP directly on port 443 (HTTPS), it has a revoked certificate and doesn't redirect to example.com (it still says the IP in the URL box), though it is also in the example.com DocumentRoot.
Just ask if I need to elaborate more or if I was unclair, thanks |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Thu 05 Aug '21 22:33 Post subject: |
|
|
Ok, so https://example.com works ok, but https://a.b.c.d doesn't (where a.b.c.d is your server IP address). This brings up a browser error about the certificate (mis-matched, revoked or otherwise). Well that's to be expected, and is as it should be.
When connecting to your secure site, the client browser will expect the X509 certificate Common Name (CN) to match the domain name in the request URL, example.com in your case. Further, if your certificate contains additional Server Alternative Name (SAN) entries, then any of them should be accepted too, e.g. www.example.com. You may have chosen to set up a wildcard certificate to cover multiple subdomains as well.
Either way, X509 certificates do not support IP address entries for the common name. So if the domain name in the request URL doesn't match any of the entries in the site certificate, then expect the browser to complain.
You can of course add an exception to the certificate challenge, assuming your browser allows it. That way you will be able to connect using an IP address should you wish. |
|
| Back to top |
|
|
|
|
|
|
