logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache2 direct IP configuration and weird behaviour
Author
r00ter



Joined: 02 Aug 2021
Posts: 9

PostPosted: Tue 03 Aug '21 17:23    Post subject: Apache2 direct IP configuration and weird behaviour Reply with quote

(I will refer my domain as example.com for privacy)

So I have my own personal website with HTTPS using Let's encrypt etc.

One thing I'd like to do with it however is to make connections connecting to the direct IP of it redirect to the domain.

One weird thing I have detected though is that if I connect to the website using the direct IP address with SSL (HTTPS, port 443) it goes to the DirectoryRoot of my normal website, example.com.

Connecting to it with HTTP/Port 80 just goes to the default /var/www/html/ though.

Does anyone know what is happening and what my problem is? If anybody needs to know or see a bit of my configuration just ask ofc. Thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 03 Aug '21 20:48    Post subject: Reply with quote

I guess there is a default vhost catching everything that is called without a domain name.
Back to top
r00ter



Joined: 02 Aug 2021
Posts: 9

PostPosted: Tue 03 Aug '21 21:39    Post subject: Reply with quote

And what would I do about it?
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Tue 03 Aug '21 23:05    Post subject: Reply with quote

Without you posting your virtual host configurations we can only guess, but I'd suggest the following might help.

These two sample default virtual host definitions are for all non-secure and secure connections, and as James suggests they handle any requests that don't match any specific domain entry virtual host blocks further down the configuration.

Your secure virtual host may include a ServerName entry for your example.com site, rather than all secure sites.

In the non-secure example, I've used mod_rewrite to redirect any non-secure request to the equivalent secure site. You could change that rewrite rule to redirect to your secure example.com site should you wish.

Code:
# Define default non-secure virtual host
#
<VirtualHost *:80>
  # Inherit any global mod_rewrite rules
  #
  RewriteEngine On
  RewriteOptions InheritBefore

  # Redirect non-secure HTTP requests to HTTPS.
  #
  RewriteCond %{HTTPS} off
  RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [L,NE,R=302]

</VirtualHost>

In the secure virtual host, I've listed a rewrite rule and condition, that checks if the host header is an IPV4 address, and if so redirects you to a named secure site. This would only be required in a default virtual host, since in practice you can't have a digital certificate with an IP address in the common name field.

Code:

# Define default secure virtual host
#
<VirtualHost *:443>
  # Inherit any global mod_rewrite rules
  #
  RewriteEngine On
  RewriteOptions InheritBefore

  #   Enable SSL for this virtual host.
  #
  SSLEngine on

  RewriteCond %{HTTP_HOST} ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$
  RewriteRule (.*) https://example.com/$1 [L,NE,R=302]

  # Other directives

</VirtualHost>

These example uses of mod_rewrite might help you achieve what you want.
Back to top
r00ter



Joined: 02 Aug 2021
Posts: 9

PostPosted: Wed 04 Aug '21 11:02    Post subject: Reply with quote

Hello, thanks for your reply; altough I am still quite unsure what to do. I have four config files, however, and here they are:
000-default.conf
Code:
<VirtualHost *:80>
    ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    DirectoryIndex index.php index.html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>


default-ssl.conf
Code:
<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>


example.com.conf
Code:
<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin master@example.com
    DocumentRoot /var/www/example.com/public_html

    <Directory /var/www/example.com/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    Redirect permanent / https://example.com/

    ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>


And lastly: example.com-le-ssl.conf
Code:
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin master@example.com
    DocumentRoot /var/www/example.com/public_html
    DirectoryIndex indexed-first-page650.php index.php index.html index.htm

    <Directory /var/www/example.com/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    <Directory /var/www/example.com/public_html/downloads>
        Options +Indexes
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

    ErrorDocument 404 /resurser/status_pages/404.html
    ErrorDocument 403 /resurser/status_pages/403.html

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>


Do you see anything about this? And thank you
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Wed 04 Aug '21 18:24    Post subject: Reply with quote

Ok, these config details help.

Looking at your original post, you want to redirect connection requests which are using an IP address, to your secure site domain (example.com for now). Can we also assume you don't want to serve any site content from your non-secure interface?

So the two non-secure virtual host defintions are similar in that they both have the character * (which acts as a wildcard and matches any IP address), and they both have the ServerName www.example.com. So assuming 000-default.conf file is read first, that's the one which will take precedence. Hence, your users get the default content from /var/www/html.

So I'd delete the example.conf file (or rename the conf extension so it's not read), and revise 000-default.conf to contain the following:

Code:
# Define default non-secure virtual host
#
<VirtualHost *:80>
    # Inherit any global mod_rewrite rules
    #
    RewriteEngine On
    RewriteOptions InheritBefore

    # Redirect non-secure HTTP requests to HTTPS.
    #
    RewriteCond %{HTTPS} off
    RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [L,NE,R=302]

</VirtualHost>

This will redirect all non-secure requests to the equivalent secure site. I wouldn't bother with the logging entries unless you really want to know who's connecting non-securely.

Next, the two secure virtual host defintions are also similar in that they both have the wildcard character too. So, I'd consider removing the default-ssl.conf file (or rename the conf extension so it's not read), not least of which the snake oil certificates (you're on Ubuntu, yes?) are self-signed, so browsers are going to complain about these anyway.

Then edit your remaining example.com-le-ssl.conf file to include a suitable redirect for connections that aren't using your preferred site names. You've listed ServerName example.com and ServerAlias www.example.com, so assume you've set up Server Alternative Name (SAN) entries in your Let's Encrypt certificate as well.

Here's a suitable rewrite rule, with two conditions for your sample domains, which I'd put near the top of your virtual host block (see https://httpd.apache.org/docs/current/mod/mod_rewrite.html for mod_rewrite details)

Code:
    RewriteCond %{HTTP_HOST} !^example.com$ [NC]
    RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
    RewriteRule ^/(.*)$ https://example.com/$1 [L,NE,R=302]

Let us know how you get on.
Back to top
r00ter



Joined: 02 Aug 2021
Posts: 9

PostPosted: Wed 04 Aug '21 22:43    Post subject: Reply with quote

Hm, okay. So I did as you said. I removed those two configurations files and now I am only left with 000-default.conf and example.com-le-ssl.conf

At first, with 000-default, I changed
Code:
RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [L,NE,R=302]

to
Code:
RewriteRule ^/(.*)$ https://example.com/$1 [L,NE,R=302]


Because, with {%HTTP_HOST} it redirected me to the IP but with HTTPS, which is still a problem. Changing it to my actual domain though solved it, and all traffic/requests going to port 80 on my IP redirects now to the actual domain. Though as I said, It still doesn't work on connecting to the IP with HTTPS unfortunately and I am not entirely sure why :/

Here is the full remaining 000-default.conf and example.com-le-ssl.conf:

000-default.conf
Code:
# Define default non-secure virtual host
#
<VirtualHost *:80>
    # Inherit any global mod_rewrite rules
    #
    RewriteEngine On
    RewriteOptions InheritBefore

    # Redirect non-secure HTTP requests to HTTPS.
    #
    RewriteCond %{HTTPS} off
    RewriteRule ^/(.*)$ https://example.com/$1 [L,NE,R=302]

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


example.com-le-ssl.conf
Code:
<IfModule mod_ssl.c>
<VirtualHost *:443>
    RewriteCond %{HTTP_HOST} !^example.com$ [NC]
    RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
    RewriteRule ^/(.*)$ https://example.com/$1 [L,NE,R=302]

    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin master@example.com
    DocumentRoot /var/www/example.com/public_html
    DirectoryIndex indexed-first-page650.php index.php index.html index.htm
   
    <Directory /var/www/example.com/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    <Directory /var/www/example.com/public_html/downloads>
       Options +Indexes
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

    ErrorDocument 404 /resurser/status_pages/404.html
    ErrorDocument 403 /resurser/status_pages/403.html

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule>


Thank you - I am on Debian (10) Buster by the way.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Thu 05 Aug '21 13:36    Post subject: Reply with quote

When you say:
r00ter wrote:
It still doesn't work on connecting to the IP with HTTPS unfortunately and I am not entirely sure why :/

What exactly do you mean?

Do you mean a client connecting with https://example.com doesn't work, or what?

What if any response does the client browser get (check with SHIFT+CONTROL+I)?

What if any error messages are logged by Apache?
Back to top
r00ter



Joined: 02 Aug 2021
Posts: 9

PostPosted: Thu 05 Aug '21 19:26    Post subject: Reply with quote

Sorry if I am unclair, this is what I mean:

If I connect directly to the IP with port 80 (HTTP) I get redirected to port 443 of example.com, the HTTPS version of example.com, same with if I connect to example.com with port 80 (HTTP), it redirects me to HTTPS example.com.

But if I connect to the IP directly on port 443 (HTTPS), it has a revoked certificate and doesn't redirect to example.com (it still says the IP in the URL box), though it is also in the example.com DocumentRoot.

Just ask if I need to elaborate more or if I was unclair, thanks
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Thu 05 Aug '21 22:33    Post subject: Reply with quote

Ok, so https://example.com works ok, but https://a.b.c.d doesn't (where a.b.c.d is your server IP address). This brings up a browser error about the certificate (mis-matched, revoked or otherwise). Well that's to be expected, and is as it should be.

When connecting to your secure site, the client browser will expect the X509 certificate Common Name (CN) to match the domain name in the request URL, example.com in your case. Further, if your certificate contains additional Server Alternative Name (SAN) entries, then any of them should be accepted too, e.g. www.example.com. You may have chosen to set up a wildcard certificate to cover multiple subdomains as well.

Either way, X509 certificates do not support IP address entries for the common name. So if the domain name in the request URL doesn't match any of the entries in the site certificate, then expect the browser to complain.

You can of course add an exception to the certificate challenge, assuming your browser allows it. That way you will be able to connect using an IP address should you wish.
Back to top


Reply to topic   Topic: Apache2 direct IP configuration and weird behaviour View previous topic :: View next topic
Post new topic   Forum Index -> Apache