Re: Forwarding IP to HTTPS. [EXT]

[Jason Long <hack3rcon@xxxxxxxxxxxxxxxxxxxxx>]

Thank you.
The output is:

# httpd -S
[Mon Oct 19 07:30:59.814973 2020] [so:warn] [pid 2563507:tid 140016219371840] AH01574: module deflate_module is already loaded, skipping
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.example.net (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost www.example.net (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost example.net (/etc/httpd/conf.d/wp-le-ssl.conf:2)
                 alias www.example.net
*:80                   is a NameVirtualHost
         default server www.example.net (/etc/httpd/conf.d/wp.conf:1)
         port 80 namevhost www.example.net (/etc/httpd/conf.d/wp.conf:1)
                 alias www.example.net
         port 80 namevhost 1.2.3.4 (/etc/httpd/conf.d/wp.conf:49)
         port 80 namevhost 1.2.3.5 (/etc/httpd/conf.d/wp.conf:72)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default 
Mutex cache-socache: using_defaults
Mutex fcgid-pipe: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODSEC_2.5
Define: MODSEC_2.9
User: name="apache" id=48
Group: name="apache" id=48


And the content of the "welcome.conf" is:

# cat /etc/httpd/conf.d/welcome.conf 
# 
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL.  To disable the
# Welcome page, comment out all the lines below. 
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
<LocationMatch "^/+$">
  Options -Indexes
  ErrorDocument 403 /noindex/index.html
</LocationMatch>


Alias /noindex /usr/share/httpd/noindex


<Directory /usr/share/httpd/noindex>
  Options MultiViews
  DirectoryIndex index.html


  AddLanguage en-US .en-US
  AddLanguage es-ES .es-ES
  AddLanguage zh-CN .zh-CN
  AddLanguage zh-HK .zh-HK
  AddLanguage zh-TW .zh-TW


  LanguagePriority en
  ForceLanguagePriority Fallback


  AllowOverride None
  Require all granted
</Directory>








On Saturday, October 17, 2020, 12:41:51 AM GMT+3:30, Frank <thumbs@xxxxxxxxxx> wrote: 





Jason,

That smells like CentOS - they mangle the apachectl script, use httpd -S
instead.

You'll want to read the contents of welcome.conf too.

Lastly, you don't need to use mod_rewrite to redirect. It should be your
last absolute resort. Every vhost should have an explicit ServerName set
too.

On 15/10/20 03:22 PM, Jason Long wrote:
> Hello,
> Here is the output of "apachectl -S" command:
> 
> 
> # apachectl -S
> # 
> 
> 
> And I changed the config as below:
> 
> 
> <VirtualHost *:80>
> RequestHeader unset X-is-ssl
> RewriteEngine    on
> RewriteRule      ^(.*)$ https://www.example.net%{REQUEST_URI} [R=permanent,L,NE]
> </VirtualHost>
> 
> ## Send all traffic on port 443 which isn't the primary domain to the primary domain
> ## This implicitly picks up the IP for the host, the actual hostname OR the unqualified domain name example.com
> 
> <VirtualHost *:443>
>  RewriteEngine    on
>  RewriteRule      ^(.*)$ https://www.example.net/%{REQUEST_URI} [R,L,NE]
> </VirtualHost>
> 
> <VirtualHost *:443>
>  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
>  ServerAdmin root@localhost
>  ServerName www.example.net
>  ServerAlias www.example.net
>  ## Do not use Server Alias here for alternative domains - only use for test/dev sites...
>  DocumentRoot /var/www/wp
>  <Directory "/var/www/wp">
>    Options Indexes FollowSymLinks
>    AllowOverride all
>    Require all granted
>  </Directory>
> ErrorLog /var/log/httpd/wordpress_error.log
> CustomLog /var/log/httpd/wordpress_access.log common
> RewriteEngine on
> RewriteCond %{SERVER_NAME} =example.net [OR]
> RewriteCond %{SERVER_NAME} =www.example.net [OR]
> RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
> Redirect permanent / https://www.example.net
> 
> TraceEnable off
> ServerSignature Off
> 
> </VirtualHost>
> 
> 
> 
> But, when I restarted Apache service and visit my website then it show me an error about privacy and after it the Apache test page shown.
> I have a SSL conf file too:
> 
> 
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
> ServerAdmin root@localhost
> ServerName example.net
> ServerAlias www.example.net
> DocumentRoot /var/www/wp
> <Directory "/var/www/wp">
> Options Indexes FollowSymLinks
> AllowOverride all
> Require all granted
> </Directory>
> ErrorLog /var/log/httpd/wordpress_error.log
> CustomLog /var/log/httpd/wordpress_access.log common
> SSLEngine On
> Include /etc/letsencrypt/options-ssl-apache.conf
> SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
> </VirtualHost>
> </IfModule>
> 
> 
> Need it any change too?
> 
> 
> Thank you.
> 
> 
> 
> 
> 
> 
> On Monday, October 12, 2020, 11:11:11 PM GMT+3:30, Frank <thumbs@xxxxxxxxxx> wrote: 
> 
> 
> 
> 
> 
> Yes, it does: Redirect 301 or RedirectPermanent.
> 
> Please review the docs before answering.
> 
> On 12/10/20 02:04 PM, James Smith wrote:
>> Redirect doesn't allow you to distinguish between 301s and 302s which you can do with mod_rewrite {very useful feature tbh when it comes to bits like this} - the user is using WordPress so will almost certainly be using mod_rewrite to handle the nice URLs....
>>
>> As for the issue without a server name - you don't need one in the 800 unless you are doing something clever - as for the redirects it doesn't break but you can put one in - just make sure that it is included first! 
>> -----Original Message-----
>> From: Frank <thumbs@xxxxxxxxxx> 
>> Sent: 12 October 2020 18:10
>> To: users@xxxxxxxxxxxxxxxx
>> Subject: Re:  Forwarding IP to HTTPS. [EXT]
>>
>> James,
>>
>> Unless the user has many hosts, I would recommend against using mod_rewrite here. It isn't needed. And your vhost should include an explicity ServerName directive.
>>
>> On 12/10/20 11:56 AM, James Smith wrote:
>>> So I would do this for the virtual host sections – assuming you are 
>>> only running ONE externally facing website – there are other things 
>>> you would need to do if you were running multiple ones
>>>
>>> ## Send all traffic on port 80 to the primary domain over SSL…
>>>
>>>
>>> <VirtualHost *:80>
>>>
>>>  RequestHeader unset X-is-ssl
>>>
>>>  RewriteEngine    on
>>>
>>>  RewriteRule      ^(.*)$ https://urldefense.proofpoint.com/v2/url?u=https-3A__www.example.com-25-257BREQUEST-5FURI-257D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=cugyNGRH0HsECtkleCMZbzrYIt0BcYfZk-Y6c00UdxE&e= 
>>> [R=permanent,L,NE]
>>>
>>> </VirtualHost>
>>>
>>>  
>>>
>>> ## Send all traffic on port 443 which isn't the primary domain to the 
>>> primary domain ## This implicitly picks up the IP for the host, the 
>>> actual hostname OR the unqualified domain name example.com
>>>
>>>  
>>>
>>> <VirtualHost *:443>
>>>
>>>  RewriteEngine    on
>>>
>>>  RewriteRule      ^(.*)$ https://urldefense.proofpoint.com/v2/url?u=https-3A__www.example.com_-25-257BREQUEST-5FURI-257D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=m4O1DurIDDG4G-kw46brnnEEXNZ9c4pJi52RMgXto3Y&e=  [R,L,NE]
>>>
>>> </VirtualHost>
>>>
>>>  
>>>
>>> <VirtualHost *:443>
>>>
>>>  Header always set Strict-Transport-Security "max-age=63072000; 
>>> includeSubdomains; preload"
>>>
>>>  ServerAdmin root@localhost
>>>
>>>  ServerName 
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.example.com&d=
>>> DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oD
>>> X0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=mw3MrVOeeCL66Y
>>> rcxABO8NMrnnmzLmHQBeAdm0m8VYA&e=
>>>
>>>  ## Do not use Server Alias here for alternative domains - only use 
>>> for test/dev sites...
>>>
>>>  DocumentRoot /var/www/wp
>>>
>>>  <Directory "/var/www/wp">
>>>
>>>    Options Indexes FollowSymLinks
>>>
>>>    AllowOverride all
>>>
>>>    Require all granted
>>>
>>>  </Directory>
>>>
>>>  
>>>
>>>  ## Put the rest of your wordpress stuff here...
>>>
>>> </VirtualHost>
>>>
>>>  
>>>
>>> *From:*Jason Long <hack3rcon@xxxxxxxxx.INVALID>
>>> *Sent:* 12 October 2020 16:39
>>> *To:* users@xxxxxxxxxxxxxxxx
>>> *Subject:* Re:  Forwarding IP to HTTPS. [EXT]
>>>
>>>  
>>>
>>> Excuse me,
>>>
>>> Can you clean my configuration?
>>>
>>>  
>>>
>>> On Monday, October 12, 2020, 07:06:17 PM GMT+3:30, Frank 
>>> <thumbs@xxxxxxxxxx <mailto:thumbs@xxxxxxxxxx>> wrote:
>>>
>>>  
>>>
>>>  
>>>
>>> James,
>>>
>>> Omitting an explicit ServerName in name-based vhosts is a bad idea as 
>>> well. You can create conflicts or ambiguities.
>>>
>>>
>>> On 12/10/20 11:22 AM, James Smith wrote:
>>>> This would be my set-up in your case - note as someone said it was too complex I've removed the extra security bits I'd left in by accident...
>>>>
>>>> ## Port 80 && 443 default configs...
>>>>
>>>> <VirtualHost *:80>
>>>>  RequestHeader unset X-is-ssl
>>>>  RewriteEngine    on
>>>>  RewriteRule      ^(.*)$ https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com-25&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=A8EKvfUUPo1cemy_DRQyzWH7n8UvFx5myg5M7r0b380&e=  [mydomain.com%]
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com
>>> -25&d=DwMFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1
>>> ecj4oDX0XM7vQ&m=aSXzAFTQK2MqTd4h8-yDESDKjJwJfq6x0sy97DB2Dlg&s=rP2yXysk
>>> ai3avho4gNa3ivaQdP6NyvIGOONKga7UWLA&e=>{REQUEST_URI}
>>> [R=permanent,L,NE]
>>>> </VirtualHost>
>>>>
>>>> <VirtualHost *:443>
>>>>  RewriteEngine    on
>>>>  RewriteRule      ^(.*)$ https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com_-25&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=ueoNZtVbLE1sHVM3T0rcs5Nc_sLHgqvUtNtezSaLZIo&e=  [mydomain.com]
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mydomain.com
>>> _-25&d=DwMFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge
>>> 1ecj4oDX0XM7vQ&m=aSXzAFTQK2MqTd4h8-yDESDKjJwJfq6x0sy97DB2Dlg&s=0xY2vrA
>>> mBv9NS93So6uL5BSAVrWQQPPc8fQe6cF_oHo&e=>{REQUEST_URI}
>>> [R,L,NE]
>>>> </VirtualHost>
>>>>
>>>> ## Port 443 default - this is our main server...... so your main apache config stuff should be in here with SSL configured correctly..
>>>>
>>>> <VirtualHost *:443>
>>>>  ServerName 
>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mydomain.com&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=Pq870e0oOU5bb6s-jPfEyYU__hJUeQOHvv1AZX--fP0&e=  ;<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mydomain.com&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=ERvrDk3V3OmOKQ_c29so3_jWrThxEfgCkxLIfX3sIvw&s=Pq870e0oOU5bb6s-jPfEyYU__hJUeQOHvv1AZX--fP0&e= >  ...
>>>>  ...
>>>>  ...
>>>>  ...
>>>>  ...
>>>> </VirtualHost>
>>>>  
>>>> If you have more than one domain then you will need to add rules on 
>>>> port 80 to preserve the hostname & also blocks for each additional 
>>>> domain
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx>
>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 
>>> <mailto:users-help@xxxxxxxxxxxxxxxx>
>>>
>>> -- The Wellcome Sanger Institute is operated by Genome Research 
>>> Limited, a charity registered in England with number 1021457 and a 
>>> company registered in England with number 2742969, whose registered 
>>> office is
>>> 215 Euston Road, London, NW1 2BE.

> 
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx