Re: HSTS verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 02.07.21 09:27, @lbutlr wrote:
> When checking for https HSTS compliance on htstpreload.org I get a warning 
> 
>> We cannot connect to https://example.net using TLS ("Get https://example.net: http: server gave HTTP response to HTTPS client").

What is in your access logs, can you identify the request and check which virtual hosts served it? You can enable logging of the
virtual host in the access log or log to dedicated files (see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats for
a list of what is available).

> And I do not understand how this can be. The page in questions loads as https with a valid cert and the http query is set to redirect to https
> 
> <VirtualHost ip.ad.re.ss:443>
>    ServerName www.example.net
>    ServerAlias foo.example.net
>    ServerAlias example.net
>    DocumentRoot /usr/local/www/example/
>    DirectoryIndex index.html
>    ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/usr/local/www/example/$1
>    SSLEngine on
>    SSLCertificateFile /usr/local/etc/dehydrated/certs/example.net/cert.pem
>    SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/example.net/privkey.pem
>    SSLCertificateChainFile /usr/local/etc/dehydrated/certs/example.net/chain.pem
>    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
>    SSLHonorCipherOrder on
>    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>    #SSLUseStapling On
>    Header always set Strict-Transport-Security "max-age=15638400; includeSubdomains;"
>    Header always set X-Frame-Options DENY
>    Alias /.well-known/ /usr/local/www/.well-known/
> </VirtualHost>
> 
> <VirtualHost *:80>
>    ServerName www.example.net
>    ServerAlias foo,example.net
>    ServerAlias example.net
>    ServerAlias webmail.example.net
>    Redirect / https://www.example.net/
>    Alias /.well-known/ /usr/local/www/.well-known/
> </VirtualHost>
> 
> 

I do not see anything onbviously wrong here (there is a typo on "ServerAlias foo,example.net" though, assume this is just an example issue).
However, your TLS virtualhost is bound to a fixed IP, your plain HTTP virtual host is bound to all available IPs on the machine.

My guess would be virtual host mismatch or a DNS specific issue (does example.net resolve to different IPs for different resolvers?). Again
access logs may reveal some more information on that.

hth,
Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux