Thanks again So if I redirect to the https version I can out all my per-directory config into the *:443 vhost entry? My worry is where that leaves some primitive browsers that don't support SSL. Can they not access the page at all? Do they use the *:80 vhost entry and bypass any config that's in the *:443 one? Or should I copy all config into both? Adrian On Tue, 20 Apr 2021 14:50:18 +0200 Daniel Ferradal <dferradal@xxxxxxxxxx> wrote: > Generally I would never define virtualhosts with <Virtualhost *>, I > think it is better and more straightforward to specify everything, > specially when starting to admin your first apache servers. For > example purposes, let's say I would define them like these in a more > straightforward way: > > Listen 80 > Listen 443 > > <Virtualhost *:80> > ServerName whatever.example.com > Redirect / https://whatever.example.com/ > CustomLog logs/whatevever.example.com.log common > </VirtualHost> > > <VirtualHost *:443> > ServerName whatever.example.com > CustomLog logs/whatevever.example.com-ssl.log combined > .. > . > . > </VirtualHost> > > <Virtualhost *:80> > ServerName somethingelse.example.com > CustomLog logs/somethingelse.example.com.log common > > Redirect / https://somethingelse.example.com/ > </VirtualHost> > > <VirtualHost *:443> > ServerName somethingelse.example.com > CustomLog logs/somethingelse.example.com-ssl.log combined > . > . > . > </VirtualHost> > > I think this way it is quite hard to get lost. > There are more brief setups you can go for but for a couple of domains > it pays off to go like this, I would recommend you to define > everything clearly to know where everything is going instead of trying > to take shortcuts. > > Also make sure to restart between chances gracefully or with a > restart. > > And for testing use a client which does not cache contents, aka, "curl > -Ik https://whatever.example.com/" > > A sidenote: > Also, about the files you mention, take into account that for apache, > config files do not mean much when interpreting the configuration, but > context/sections and order in which directives have been defined > really do, most times you mention different config files people in > this list may not pay too much attention to their names because of it. > Debian and other distros tend to convolute config files making it look > like a difficult mess for newcomers, when for small configurations > sometimes with few virtualhosts it may pay off to go smaller or even > single file. > > El mar, 20 abr 2021 a las 14:29, Adrian > (<adrian@xxxxxxxxxxxxxx.invalid>) escribió: > > > > Thanks again Daniel > > > > I've added a ServerName line to the top level vhost with the name > > of my server. No change. > > > > Yes, there are two files in sites-enabled, 000-default and > > 000-ssl. I suspect that's the cause of the problem. > > > > I'd thought that 000-ssl only had SSL-related things and had assumed > > that the other settings defaulted to the values in 000-default, but > > maybe not. I see that both versions contain a DocumentRoot. > > > > So that raises the question that if only one of these is being used, > > and it's the SSL one using port 443, how do I configure the change > > to work for port 80 requests? Do I have to add the same lines to > > both? > > > > Though in practice my http:// URLs are being redirected to https:// > > somehow, so I can't tell how a port 80 request would behave. > > > > Thanks > > Adrian > > > > On Tue, 20 Apr 2021 13:38:08 +0200 > > Daniel Ferradal <dferradal@xxxxxxxxxx> wrote: > > > > > Hello, > > > > > > This says you have two virtualhosts pointing to the same name, so > > > only the first one will be used: > > > > > > (/etc/apache2/sites-enabled/000-default.conf:46) *:443 > > > is a NameVirtualHost default server www.example.org > > > (/etc/apache2/sites-enabled/000-ssl:2) port 443 namevhost > > > www.example.org > > > > > > But still that virtualhost you just pasted has no servername, so > > > that one may be very well catching everything. > > > > > > These things can be quite easy to see if you are still in doubt. > > > Define a specific access log for each virtualhost with different > > > file names, check where you land. > > > > > > When defining several virtualhosts define a unique servername for > > > each always. Remember first match wins. > > > > > > El mar, 20 abr 2021 a las 12:35, Adrian > > > (<adrian@xxxxxxxxxxxxxx.invalid>) escribió: > > > > > > > > Thanks Daniel. > > > > > > > > I had one redundant .htaccess file in the vhost domain, now > > > > removed. Restarted and no change. > > > > > > > > Results of apachectl -S below: > > > > > > > > apachectl -S > > > > [Tue Apr 20 11:22:05.839049 2021] [so:warn] [pid 2744] AH01574: > > > > module ssl_module is already loaded, skipping VirtualHost > > > > configuration: *:* is a NameVirtualHost > > > > default server myserver.io > > > > (/etc/apache2/sites-enabled/000-default.conf:1) port * namevhost > > > > myserver.io (/etc/apache2/sites-enabled/000-default.conf:1) > > > > port * namevhost www.example.org > > > > (/etc/apache2/sites-enabled/000-default.conf:46) *:443 > > > > is a NameVirtualHost default server www.example.org > > > > (/etc/apache2/sites-enabled/000-ssl:2) port 443 namevhost > > > > www.example.org (/etc/apache2/sites-enabled/000-ssl:2) > > > > ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" > > > > Main ErrorLog: "/var/log/apache2/error.log" Mutex mpm-accept: > > > > using_defaults Mutex watchdog-callback: using_defaults > > > > Mutex rewrite-map: using_defaults > > > > Mutex ssl-stapling-refresh: using_defaults > > > > Mutex ssl-stapling: using_defaults > > > > Mutex proxy: using_defaults > > > > Mutex ssl-cache: using_defaults > > > > Mutex default: dir="/var/lock/apache2" mechanism=fcntl > > > > PidFile: "/var/run/apache2.pid" > > > > Define: DUMP_VHOSTS > > > > Define: DUMP_RUN_CFG > > > > User: name="www-data" id=33 > > > > Group: name="www-data" id=33 > > > > > > > > There is a top-level vhost which maps "http://myserver.io" to > > > > the top-level docroot, though oddly it doesn't seem to see the > > > > files there. Here is the content. Below this is the vhost I > > > > originally listed, and below that another vhost which maps a > > > > different domain to a different docroot. > > > > > > > > <VirtualHost *> ServerAdmin webmaster@localhost > > > > > > > > DocumentRoot /var/www/ > > > > <Directory / > > > > > Options FollowSymLinks > > > > AllowOverride All > > > > </Directory> > > > > <Directory /var/www/> > > > > Options Indexes FollowSymLinks MultiViews > > > > AllowOverride All > > > > Require all granted > > > > # This directive allows us to have apache2's > > > > default start page # in /apache2-default/, but still have / go > > > > to the right place # RedirectMatch ^/$ /apache2-default/ > > > > </Directory> > > > > > > > > ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ > > > > > > > > <Directory "/usr/lib/cgi-bin"> > > > > AllowOverride None > > > > Options ExecCGI MultiViews SymLinksIfOwnerMatch > > > > Require all granted > > > > </Directory> > > > > > > > > ErrorLog /var/log/apache2/error.log > > > > > > > > # Possible values include: debug, info, notice, warn, > > > > error, # crit, alert, emerg. > > > > LogLevel warn > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > > > > \"%{User-agent}i\"" combined > > > > CustomLog /var/log/apache2/access.log combined > > > > ServerSignature On > > > > > > > > Alias /doc/ "/usr/share/doc/" > > > > <Directory "/usr/share/doc/"> > > > > Options Indexes MultiViews FollowSymLinks > > > > AllowOverride None > > > > Require local > > > > </Directory> > > > > </VirtualHost> > > > > > > > > There's nothing in apache2.conf that looks suspicious to me but > > > > I can list it if it helps. > > > > > > > > Adrian > > > > > > > > On Tue, 20 Apr 2021 12:10:09 +0200 > > > > Daniel Ferradal <dferradal@xxxxxxxxxx> wrote: > > > > > > > > > Check "apachectl -S" output in case there is some other > > > > > virtualhost there getting the requests. > > > > > > > > > > That virtualhost as it is should deny access, if it is not, > > > > > then there is something missing in what you show. Not sure if > > > > > it may be another virtualhost or another virtualhost > > > > > and .htaccess, etc. > > > > > > > > > > El mar, 20 abr 2021 a las 12:01, Adrian > > > > > (<adrian@xxxxxxxxxxxxxx.invalid>) escribió: > > > > > > > > > > > > using Apache/2.4.38 (Debian) > > > > > > with Debian-style split config. > > > > > > > > > > > > Here are the relevant bits of a vhost. This is > > > > > > in /etc/apache2/sites-enabled/000-default. > > > > > > > > > > > > <VirtualHost *> > > > > > > ServerName www.example.org > > > > > > DocumentRoot /var/www/example > > > > > > CustomLog /var/log/apache2/example/access.log combined > > > > > > > > > > > > <Directory "/var/www/example/" > > > > > > > # DISABLE THE ENTIRE DOCROOT > > > > > > Require all denied > > > > > > </Directory> > > > > > > </VirtualHost> > > > > > > > > > > > > I restarted Apache and browsed a page that isn't in cache. > > > > > > It loaded as normal. > > > > > > > > > > > > My real question is that basic file auth is also ignored, > > > > > > but I thought I'd start simple. > > > > > > > > > > > > Things that might be related, to rule them out: > > > > > > ${APACHE_LOCK_DIR} and ${APACHE_RUN_DIR} are not defined. > > > > > > > > > > > > I have the compatibility module loaded, as I migrated from > > > > > > 2.2, but as far as I can see I have no remaining 2.2 syntax > > > > > > in my config. > > > > > > > > > > > > Let me know what else you may need and I'll provide it. > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > > > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx