Apache wrong site shown

Discussion in 'Installation/Configuration' started by cremos, Nov 17, 2020.

  1. cremos

    cremos Member

    Hello !
    I am in Ispconfig 3.1.15p2.
    Is this either on the ispconfig panel?
    weird, I have no option in the web server part (empty) in under System > Server config > web
    I didn't do anything, I don't understand.
    Al Musul
     
    Last edited: Nov 19, 2020
  2. cremos

    cremos Member

    attached capture of the empty web server configuration
     
  3. cremos

    cremos Member

    I just made a dump of the ispconfig database size 1.9MB , I check the size of a backup at dbispconfig_2020-11-13_06h25m.Friday.sql 19M 10 times larger. I just restore a backup and find the settings in Web Server capture attached.
     
  4. cremos

    cremos Member

    Last edited: Nov 19, 2020
  5. cremos

    cremos Member

    Super certificate was well generated in /etc/letsencrypt/live/ and SSL options were added to the https vhost of the domain.
    I activated the httpS redirect (Rewrite HTTP to HTTPS) but my site (https://labvirtual.ac-amiens.fr/) still displays an invalid certificate.
    Thank you again for your availability and the work done
    Al Musul Crémos
     
    Last edited: Nov 19, 2020
  6. nhybgtvfr

    nhybgtvfr Active Member

    ah, yep, haproxy is definitely going to complicate things. i assume you've got haproxy configured in http mode.
    if you're using ispconfig and letsencrypt to create and renew the certificates, i guess you'd need to configure the haproxy frontend and backend to use tcp mode and ssl passthrough.
    or you could just have the certificates on haproxy and terminate them there, and just use http between haproxy and ispconfig.
    either way, this is probably a good starting point guide: https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
     
    ahrasis likes this.
  7. cremos

    cremos Member

    Indeed, I use a haproxy with a frontend and a backend in tcp mode and the ssl relay.
    The solution of certificates on haproxy and heavy, it is necessary to concet in the form: cat cert.pem privkey.pem fullchain.pem > labvirtual.ac-amiens.fr.pem
    then on the haproxy: frontend https
    http mode
    forwardfor option
    bind 194.254.103.168:443 no-sslv3 ssl crt /etc/haproxy/ssl/panel3/abvirtual.ac-amiens.fr.pem no-sslv3
    and this for each web domain.
    In my setup I use http mode for additional HTTP options.
    it would seem that Tcp should be used instead for HTTPS traffic because the packages are encrypted and HAProxy cannot display the HTTP headers.
    Crémos
     
  8. cremos

    cremos Member

    Hello,
    Thanks again for the HAProxy with SSL Pass-Through track this works with TLS 1.3 and letsencrypt via Ispconfig. thanks again.
    Al Musul Crémos
     
    Last edited: Dec 12, 2020
    nhybgtvfr and ahrasis like this.
  9. cremos

    cremos Member

    Hello !
    I just deleted the vhost ssl files generated by certbot and create the ssl config and avce Ispconfig certificate.
    Ispconfig does generate the HTTPS part of the vhost configuration in the same file that contains the HTTP configuration.
    I then force the http redirect to https with another box that I check in Ispconfig.

    Apache is still not serving the right site for the HTTP visit without SSL activation and that for all the web domains I create.
    I am blocked unable to create web domains that point to the correct directory (DocumentRoot)
    thank you in advance for your feedback.
    Crémos
     
    Last edited: Dec 12, 2020
  10. cremos

    cremos Member

    Additional information Issue of the apache2ctrl -S command :
    Default Server Ispconfig : panel3.in.ac-amiens.fr
    *:8081 panel3.in.ac-amiens.fr (/etc/apache2/sites-enabled/000-apps.vhost:9)
    *:8080 panel3.ac-amiens.fr (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
    *:80 is a NameVirtualHost
    default server panel3.in.ac-amiens.fr (/etc/apache2/sites-enabled/000-default.conf:1)
    *:443 is a NameVirtualHost
    default server dev.dsden60.ac-amiens.fr (/etc/apache2/sites-enabled/100-dev.dsden60.ac-amiens.fr.vhost:110)

    I wanted to know why i have a dev.dsden60.ac-amiens.fr rather than panel3.ac-amiens.fr for the port 443
     
  11. cremos

    cremos Member

    Hello !
    When I want to access the site: http://sandras.anizy-le-grand.clg.ac-amiens.fr/ HTTPS is not activated. I get as a response from the server:
    Bad Request
    Your browser sent a request that this server could not understand.
    Reason: You're speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please.
    Crémos
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It tells you what to do, go to that site with https. Though port 80 should be enabled for it aswell, not sure what you've done here.
     
  13. cremos

    cremos Member

    This shows me the certificate of another web domain.
    lifted to: dev.dsden60.ac-amiens.fr issued by: let's encrypt
    Additional information Issue of the apache2ctrl -S command :
    *:443 is a NameVirtualHost
    default server dev.dsden60.ac-amiens.fr (/etc/apache2/sites-enabled/100-dev.dsden60.ac-amiens.fr.vhost:110)
    and that for all new web domains

    100-sandras.anizy-le-grand.clg.ac-amiens.fr.vhost
    PHP:
    <VirtualHost *:80>
                    
    DocumentRoot /var/www/clients/client9/web83/web
                    ServerName sandras
    .anizy-le-grand.clg.ac-amiens.fr
                    ServerAlias sandras
    .anizy-le-grand.clg.ac-amiens.fr
                    ServerAdmin webmaster
    @sandras.anizy-le-grand.clg.ac-amiens.fr
                    ErrorLog 
    /var/log/ispconfig/httpd/sandras.anizy-le-grand.clg.ac-amiens.fr/error.log
                    
    <IfModule mod_ssl.c>
                   </
    IfModule>
     
    Last edited: Dec 14, 2020
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It looks like the paste of your .vhost file lost a lot of content.
     
  15. cremos

    cremos Member

    Here's the full file:
    PHP:
    <Directory /var/www/sandras.anizy-le-grand.clg.ac-amiens.fr>
                    
    AllowOverride None
                    
    Require all denied
                    
    </Directory>

    <
    VirtualHost *:80>

                    
    DocumentRoot /var/www/clients/client9/web83/web
                    ServerName sandras
    .anizy-le-grand.clg.ac-amiens.fr
                    ServerAlias sandras
    .anizy-le-grand.clg.ac-amiens.fr
                    ServerAdmin webmaster
    @sandras.anizy-le-grand.clg.ac-amiens.fr

                    ErrorLog 
    /var/log/ispconfig/httpd/sandras.anizy-le-grand.clg.ac-amiens.fr/error.log

                    
    <IfModule mod_ssl.c>
                    </
    IfModule>
                    <
    Directory /var/www/sandras.anizy-le-grand.clg.ac-amiens.fr/web>
                                    
    # Clear PHP settings of this website
                                    
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                     
    SetHandler None
                                    
    </FilesMatch>
                                    
    Options +SymlinksIfOwnerMatch
                                    AllowOverride All
                                    
    Require all granted
                     
    </Directory>
                    <
    Directory /var/www/clients/client9/web83/web>
                                    
    # Clear PHP settings of this website
                                    
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                     
    SetHandler None
                                    
    </FilesMatch>
                                    
    Options +SymlinksIfOwnerMatch
                                    AllowOverride All
                                    
    Require all granted
                        
    </Directory>

     
    # suexec enabled
                    
    <IfModule mod_suexec.c>
                            
    SuexecUserGroup web83 client9
                    
    </IfModule>
                    <
    IfModule mod_fastcgi.c>
                                    <
    Directory /var/www/clients/client9/web83/cgi-bin>
                                            Require 
    all granted
                                   
    </Directory>
                                    <
    Directory /var/www/sandras.anizy-le-grand.clg.ac-amiens.fr/web>
                                            <
    FilesMatch "\.php[345]?$">
                                                    
    SetHandler php-fcgi
                                            
    </FilesMatch>
                                    </
    Directory>
                                    <
    Directory /var/www/clients/client9/web83/web>
                                            <
    FilesMatch "\.php[345]?$">
                                                    
    SetHandler php-fcgi
                                            
    </FilesMatch>
                                    </
    Directory>
                    
    Action php-fcgi /php-fcgi virtual
                                    Alias 
    /php-fcgi /var/www/clients/client9/web83/cgi-bin/php-fcgi-*-80-sandras.anizy-le-grand.clg.ac-amiens.fr
                    FastCgiExternalServer 
    /var/www/clients/client9/web83/cgi-bin/php-fcgi-*-80-sandras.anizy-le-grand.clg.ac-amiens.fr -idle-timeout 300 -socket /var/lib/php7.4-fpm/web83.sock -pass-header Authorization  -pass-header Content-Type
                    
    </IfModule>
                    <
    IfModule mod_proxy_fcgi.c>
    #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.4-fpm/web83.sock|fcgi://localhost//var/www/clients/client9/web83/web/$1
                            
    <Directory /var/www/clients/client9/web83/web>
                                    <
    FilesMatch "\.php[345]?$">
                                                    
    SetHandler "proxy:unix:/var/lib/php7.4-fpm/web83.sock|fcgi://localhost"
                                    
    </FilesMatch>
                            </
    Directory>
                            </
    IfModule>

    # add support for apache mpm_itk
                    
    <IfModule mpm_itk_module>
                            
    AssignUserId web83 client9
                    
    </IfModule>

                    <
    IfModule mod_dav_fs.c>
             
     
    # Do not execute PHP files in webdav directory
                            
    <Directory /var/www/clients/client9/web83/webdav>
                                    <
    ifModule mod_security2.c>
                                            
    SecRuleRemoveById 960015
                                            SecRuleRemoveById 960032
                                    
    </ifModule>
                                    <
    FilesMatch "\.ph(p3?|tml)$">
                                            
    SetHandler None
                                    
    </FilesMatch>
                            </
    Directory>
                            
    DavLockDB /var/www/clients/client9/web83/tmp/DavLock
                            
    # DO NOT REMOVE THE COMMENTS!
                            # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
                            # WEBDAV END
                    
    </IfModule>



    </
    VirtualHost>

     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The default server is simply the first one encountered for the port as apache parses the configuration/vhost files. You could create a site named something like 'aaa-default.com' if you want to manage the default website in ispconfig, or you can manually edit a .vhost file for that purpose just like you do for port 80 (filename '000-default.conf').

    Your vhost file shows port 443 is not setup, likely due to the letsencrypt certificate not issuing (a guess, but likely). You can try the letsencrypt faq for how to debug the certificate requests, but it sounds like you have some very non-standard pieces in play (running requests through haproxy) that you'll have to figure out.
     
  17. cremos

    cremos Member

    I wanted not to voluntarily activate HTTPS for the site http://sandras.anizy-le-grand.clg.ac-amiens.fr
    The problem is that Apache2 is not serving the correct DocumentRoot, but that of another web domain dev.dsden60.ac-amiens.fr. Whatever new web domain I am creating.
    Thank you
     
  18. cremos

    cremos Member

    When I generate the Let's Encryp certificate with Ispconfig I get the error:
    15.12.2020-08:41 - WARNING - Let's Encrypt SSL Cert for: sandras.anizy-le-grand.clg.ac-amiens.fr could not be issued.
    Let's Encrypt fails to test URL of web domain, I still have a Bad Request on URL http://sandras.anizy-le-grand.clg.ac-amiens.fr/
    Code:
    Domain: sandras.anizy-le-grand.clg.ac-amiens.fr
    Type:   unauthorized
    Detail: Invalid response from http://sandras.anizy-le-grand.clg.ac-amiens.fr/.well-known/acme-challenge/KUSYCSgby2q1jho5zVQAhPlTeVOJDPF0ikMQOorXSsQ [194.254.103.168]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1"
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
    
    With certbot :
    Code:
    certbot-auto --no-redirect --webroot-path /var/www/clients/client9/web83/web  --domain sandras.anizy-le-grand.clg.ac-amiens.fr --email [email protected]
    
    Code:
    Waiting for verification...
    Challenge failed for domain sandras.anizy-le-grand.clg.ac-amiens.fr
    http-01 challenge for sandras.anizy-le-grand.clg.ac-amiens.fr
    Cleaning up challenges
    Some challenges have failed.
    
    IMPORTANT NOTES:
     - The following errors were reported by the server:
    
       Domain: sandras.anizy-le-grand.clg.ac-amiens.fr
       Type:   unauthorized
       Detail: Invalid response from
       http://sandras.anizy-le-grand.clg.ac-amiens.fr/.well-known/acme-challenge/C7WQBEjU5-uVZSKl23pO_u-0rDk76KZAXRtoaCKrC1s
       [194.254.103.168]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
       2.0//EN\">\n<html><head>\n<title>400 Bad
       Request</title>\n</head><body>\n<h1>Bad Request</h1"
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.
    
     
    Last edited: Dec 15, 2020
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    Double-check that the domain sandras.anizy-le-grand.clg.ac-amiens.fr points to the right server IP address and if that's ok, check the global apache error .og and the error.log of that website why there is a 400 error.
     
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If I undertand correctly, that's a normal behaviour of a web server and that is why we don't mix http and https in it. I believe redirecting its url from http to https may show the correct site, provided it has valid ssl certs.
     

Share This Page