Re: HSTS verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03 Jul 2021, at 03:20, apache-httpd-users@xxxxxxxxxxxxxxx wrote:
> On 02.07.21 09:27, @lbutlr wrote:
>> When checking for https HSTS compliance on htstpreload.org I get a warning 
>> 
>>> We cannot connect to https://example.net using TLS ("Get https://example.net: http: server gave HTTP response to HTTPS client").

> What is in your access logs, can you identify the request and check which virtual hosts served it? You can enable logging of the
> virtual host in the access log or log to dedicated files (see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats for
> a list of what is available).

The virtaulhost blocks I posted are for the virtual host that responds to the query, but I din't check the apache logs specifically.

The site works, and going to it on http redirects to https as expected, it is just this check tool that is complaining.

> 
>> And I do not understand how this can be. The page in questions loads as https with a valid cert and the http query is set to redirect to https
>> 
>> <VirtualHost ip.ad.re.ss:443>
>>   ServerName www.example.net
>>   ServerAlias foo.example.net
>>   ServerAlias example.net
>>   DocumentRoot /usr/local/www/example/
>>   DirectoryIndex index.html
>>   ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/usr/local/www/example/$1
>>   SSLEngine on
>>   SSLCertificateFile /usr/local/etc/dehydrated/certs/example.net/cert.pem
>>   SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/example.net/privkey.pem
>>   SSLCertificateChainFile /usr/local/etc/dehydrated/certs/example.net/chain.pem
>>   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
>>   SSLHonorCipherOrder on
>>   SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>>   #SSLUseStapling On
>>   Header always set Strict-Transport-Security "max-age=15638400; includeSubdomains;"
>>   Header always set X-Frame-Options DENY
>>   Alias /.well-known/ /usr/local/www/.well-known/
>> </VirtualHost>
>> 
>> <VirtualHost *:80>
>>   ServerName www.example.net
>>   ServerAlias foo,example.net
>>   ServerAlias example.net
>>   ServerAlias webmail.example.net
>>   Redirect / https://www.example.net/
>>   Alias /.well-known/ /usr/local/www/.well-known/
>> </VirtualHost>
>> 
>> 
> 
> I do not see anything onbviously wrong here (there is a typo on "ServerAlias foo,example.net" though, assume this is just an example issue).

Oops, yes.

> However, your TLS virtualhost is bound to a fixed IP, your plain HTTP virtual host is bound to all available IPs on the machine.

Yes, that is intentional. Is this wrong?

> My guess would be virtual host mismatch or a DNS specific issue (does example.net resolve to different IPs for different resolvers?)

Nope. It resolves to the IP used in the main VitualHost block.

> access logs may reveal some more information on that.

I will check, but since everything goes to where it should, I don't think that is the issue.


-- 
'It is always useful to face an enemy who is prepared to die for his
	country,' he read. 'This means that both you and he have exactly
	the same aim in mind.'


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux