Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache virtual host works on port 80 but fails on 443 |
|
| Author |
|
kdwoell
Joined: 24 Aug 2012
Posts: 7
|
 Posted: Sat 20 Apr '13 0:29 Post subject: Apache virtual host works on port 80 but fails on 443 |
 |
|
OS: RHEL 6.4
SELinux: permissive mode
Apache: 2.2, mod_fcgid, mod_suxec, mod_ssl enabled
Common Name: www.user.dept.university.edu
(Note:user names, accounts, organizations etc. sanitized)
Junior administrator. I have been trying to figure out why Apache will serve PHP-based web pages over port 80 but not over 443. Here is the virtual host block excerpt from httpd.conf:
| Code: | <VirtualHost *:80>
ServerName user.dept.univsersity.edu
ServerAlias user
DocumentRoot /home/user/public_html/subdirectory
<IfModule mod_fcgid.c>
SuexecUserGroup user user
<Directory /home/user/public_html/subdirectory>
Options +ExecCGI
DirectoryIndex index.php index.html
AllowOverride All
AddHandler fcgid-script .php
FcgiWrapper /var/www/php-fcgi-scripts/user/php-fcgi-starter .php
Order allow,deny
Allow from all
</Directory>
</IfModule>
</VirtualHost> |
Here is the virtual host block excerpt from SSL.conf (I modified the RHEL6 default conf). Per the RH documentation, SSL is now handled via ssl.conf, so there are no 443 related entries for the virtual host in httpd.conf.
| Code: | LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
NameVirtualHost *:443
<VirtualHost xxx.xxx.xxx.xxx:443> #IP redacted
ServerName www.user.dept.university.edu
DocumentRoot /home/user/public_html/subdirectory
<IfModule mod_fcgid.c>
SuexecUserGroup user user
<Directory /home/user/public_html/subdirectory>
Options +ExecCGI
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /var/www/php-fcgi-scripts/user/php-fcgi-starter .php
Order allow,deny
Allow from all
</Directory>
</IfModule>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/CA/user.crt
SSLCertificateKeyFile /etc/pki/CA/private/user.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost> |
I'm waiting for the commercial SSL cert to arrive so in the interim I'm using a self-signed OpenSSL cert. I was careful not to forget the "www" prefaced in front off the Common Name when generating the cert, i.e. "www.user.dept.university.edu"
I can access http://localhost via 80 no problems. No errors in Apache and suexec logs.
When I access https://localhost over 443 I get this browser error:
| Quote: | An error occurred during a connection to localhost.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long) |
Here is associated Apache error_log entry (but no suexec log errors):
| Quote: | [Thu Apr 18 22:22:49 2013] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Thu Apr 18 22:22:49 2013] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01 |
When I access the site from the Internet on 80 it works fine. When I access the site from the Internet over port 443 (https://blah blah) I get these errors:
| Quote: | Forbidden
You don't have permission to access / on this server.
Apache/2.2.15 (Red Hat) Server at www.user.dept.university.edu Port 443 |
The Apache log error:
| Quote: | xx.xx.xxx.xxx - - [18/Apr/2013:22:35:25 -0400] "GET / HTTP/1.1" 403 291
xx.xx.xxx.xxx - - [18/Apr/2013:22:35:25 -0400] "GET /favicon.ico HTTP/1.1" 404 298 |
The ssl_error_log:
| Quote: | [Thu Apr 18 22:35:25 2013] [error] [client xx.xx.xxx.xxx] Directory index forbidden by Options directive: /home/user/public_html/subdirectory/
[Thu Apr 18 22:35:25 2013] [error] [client xx.xx.xxx.xxx] File does not exist: /home/user/public_html/subdirectory/favicon.ico |
I suspect an issue with the virtual host block in ssl.conf. The other possibility is I improperly generated the self-signed cert using the documentation from RH
Appreciate any insights! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
|
| Posted: Tue 23 Apr '13 10:58 Post subject: |
|
|
I think you don't load mod_fcgid and then your <directory block isn't working
<IfModule mod_fcgid.c> |
|
| Back to top |
|
kdwoell
Joined: 24 Aug 2012
Posts: 7
|
| Posted: Tue 23 Apr '13 15:40 Post subject: |
|
|
I thought for the 3rd time to carefully compare the vhost block for 80 to the vhost entry in ssl.conf for 443. Somehow I missed this entry in the ssl.conf:
| Code: | | DirectoryIndex index.php index.html |
For security I included this directive for the port 80 vhost block but must have dropped during all the nano editing in ssl.conf. So I can access the site now over SSL.
However, after restart Apache still complains about:
| Code: |
[root@hostname user]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [Sun Apr 21 16:43:21 2013] [warn] NameVirtualHost *:443 has no VirtualHosts
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.user.dept.university.edu:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[ OK ] |
[/code] |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
|
| Posted: Tue 23 Apr '13 16:52 Post subject: |
|
|
The issue is that the key is still encrypted with a password. So you have to decryt it with something like
| Code: | | openssl rsa -in your.key -out your.key |
|
|
| Back to top |
|
kdwoell
Joined: 24 Aug 2012
Posts: 7
|
| Posted: Tue 23 Apr '13 18:47 Post subject: |
|
|
I think you missed the point of my question.
| Quote: | | Starting httpd: [Sun Apr 21 16:43:21 2013] [warn] NameVirtualHost *:443 has no VirtualHosts |
Why does Apache complain there is no VirtualHosts when clearly ssl.conf has a vhost block?
Regarding, the key- for security I want a passphrase? Correct? [/code] |
|
| Back to top |
|
|
|
|
|
|
