Apache wrong site shown

Discussion in 'Installation/Configuration' started by cremos, Nov 17, 2020.

  1. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Also for this issue check the ip addresses you set in your sites, and don't mix '*' with specific ips.
     
  2. cremos

    cremos Member

    Hello (slm),
    Sorry for the late response.
    DNS Info:
    Code:
    [email protected]:~# dig  sandras.anizy-le-grand.clg.ac-amiens.fr
    
    ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> sandras.anizy-le-grand.clg.ac-amiens.fr
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63916
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sandras.anizy-le-grand.clg.ac-amiens.fr. IN A
    
    ;; ANSWER SECTION:
    sandras.anizy-le-grand.clg.ac-amiens.fr. 86400 IN CNAME panel3.ac-amiens.fr.
    panel3.ac-amiens.fr.    86400   IN      A       194.254.103.168
    
    ;; AUTHORITY SECTION:
    ac-amiens.fr.           86400   IN      NS      mars.ac-creteil.fr.
    ac-amiens.fr.           86400   IN      NS      ns.ac-amiens.fr.
    ac-amiens.fr.           86400   IN      NS      orion.utc.fr.
    
    ;; ADDITIONAL SECTION:
    ns.ac-amiens.fr.        86400   IN      A       194.199.46.3
    mars.ac-creteil.fr.     252     IN      A       195.98.246.50
    orion.utc.fr.           1750    IN      A       195.83.155.16
    
    ;; Query time: 1 msec
    ;; SERVER: 194.199.46.5#53(194.199.46.5)
    ;; WHEN: jeu. déc. 17 11:03:12 CET 2020
    ;; MSG SIZE  rcvd: 224
    
    sandras.anizy-le-grand.clg.ac-amiens.fr. 86400 IN CNAME panel3.ac-amiens.fr (194.254.103.168).
    Code:
    dig -x  194.254.103.168
    ;; ANSWER SECTION:
    168.103.254.194.in-addr.arpa. 86400 IN  PTR     panel3.ac-amiens.fr
    
    Crémos
     
  3. cremos

    cremos Member

    For all web domain Vhost we have:
    <VirtualHost *: 80>
    <VirtualHost *: 443>
    except for the vhost of Ispconfig 000-ispconfig.conf which listens on IP end of file:
    Ispconfig is behind a Haproxy or private IP (192.168.236.50) .
    Code:
    NameVirtualHost *:80
    NameVirtualHost *:443
    NameVirtualHost 192.168.236.50:80
    NameVirtualHost 192.168.236.50:443
    
     
  4. cremos

    cremos Member

    I have no more information in the apache2 logs regarding the "Bad Request" error
    It’s still the same http vhost configuration problem.

    Code:
     I [194.254.103.168]: « <! DOCTYPE HTML PUBLIC \ »-//IETF//DTD HTML 2.0//FR\">\n<html><head>\n<title> ;400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1 »
    certbot.errors.FailedChallenges: Procédure d’autorisation échouée. sandras.anizy-le-grand.clg.ac-amiens.fr (http-01): urne:ietf:params:acme:error:unauthorized :: Le client manque d’autorisation suffisante :: Réponse invalide de http://sandras.anizy-le-grand.clg.ac-amiens.fr/.well-known/acme-challenge/QVvmF91CL1exL4GrIilWmI7yfYQOKeapHUz-2MGb8
    I
    When the URL is displayed : http://sandras.anizy-le-grand.clg.ac-amiens.fr je reçois :
    Code:
    Bad Request
    Your browser sent a request that this server could not understand.
    Reason: You're speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please.
    Apache/2.4.38 (Debian) Server at dev.dsden60.ac-amiens.fr Port 80
    
    When I go to the site https://sandras.anizy-le-grand.clg.ac-amiens.fr/
    in HTTPS mode knowing that SSL is not activated and the certificate not generated for this site.
    I have a certificate alert. After verification, this corresponds to another vhost (dev.dsden60.ac-amiens.fr)
     
    Last edited: Dec 17, 2020
  5. cremos

    cremos Member

    1 / I deactivated all the Subdomains (Vhost) while keeping the sandras.anizy-le-grand.clg.ac-amiens.fr website.
    2 / I then activated via Ispconfig "SSL & Let's Encrypt" then the redirection "Rewrite HTTP to HTTPS"
    3 / the certificate has been created.
    Code:
    Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/100-sandras.anizy-le-grand.clg.ac-amiens.fr.vhost
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Your existing certificate has been successfully renewed, and the new certificate
    has been installed.
    
    The new certificate covers the following domains:
    https://sandras.anizy-le-grand.clg.ac-amiens.fr
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/sandras.anizy-le-grand.clg.ac-amiens.fr/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/sandras.anizy-le-grand.clg.ac-amiens.fr/privkey.pem
       Your cert will expire on 2021-03-17. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again with the "certonly" option. To non-interactively renew *all*
       of your certificates, run "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    4 / Without the activation of HTTPS the site displays "Not Found
    The requested URL was not found on this server ".
    5 / it seems that we are obliged to systematically activate HTTPS and redirection.
    Weird, you have to deactivate the whole Subdomain (Vhost) to generate a certificate of a website.
    When do you think ?
    Thank you in advance for your answers.
     
  6. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    Code:
    Bad Request
    Your browser sent a request that this server could not understand.
    Reason: You're speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please.
    Apache/2.4.38 (Debian) Server at dev.dsden60.ac-amiens.fr Port 80
    
    perhaps this is due to haproxy, do you have it configured to send everything to port 443 on the backend?
    perhaps a single frontend is listening to both port 80 and 443?
    or two frontends, one port 80, one port 443, both using the same backend configuration?
    you need a frontend listening on port 80, with the backend configured to send to port 80
    and a separate frontend listening on port 443, with another backend configured to send to port 443.
     
    ahrasis and Jesse Norell like this.
  7. cremos

    cremos Member

    Thanks for your precisions.
    I am using the HAProxy with SSL Pass-Through. I did not force the https redirect.
    Only one single frontend listens to both port 80 and 443 with the backend configured to send to port 443
    I think my error is there, I am not returning anything on port 80.

    Haproxy configuration:
    Code:
    ############
     # FRONTEND #
     ############
    
    
     ### HTTPS-ALT ###
    
    frontend panel3-http-alt
    
            mode http
            option forwardfor
            bind 194.254.103.168:8080 no-sslv3 ssl crt /etc/haproxy/ssl/panel3/panel3.ac-amiens.fr.pem
            http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
    
            ###DEFAULT_BACKEND###
            use_backend panel3_http-alt
    
    ### TLS 1.3 HAProxy avec SSL Pass-Through ###
    
    frontend panel3-https-Pass-Through
    
            # on demade à HaProxy de récupérer toutes les requêtes http (80) et https (443)
            bind 194.254.103.168:80
    
            # pour les requêtes https, on fourni le ou les certificats
            bind 194.254.103.168:443
            mode tcp
            option tcplog
    
            # on force ici la redirection http => https
            #redirect scheme https if !{ ssl_fc }
    
             # Compression
             compression algo gzip
    
            # on définit le backend par défaut
            default_backend panel3-in_https-Pass-Through
    
    
     ###########
     # BACKEND #
     ###########
    
    
    backend panel3_http-alt
            mode http
            log global
            option httpchk
            option abortonclose
            option httpclose
            option forceclose
            option forwardfor
            server panel3_http-alt.in 192.168.236.50:8080 check ssl verify none
            http-request set-header X-Forwarded-Port %[dst_port]
            http-request add-header X-Forwarded-Proto https if { ssl_fc }
            option forwardfor except 127.0.0.1/8
    
    backend panel3-in_https-Pass-Through
            mode tcp
            ## vérifie la connexion ainsi que sa capacité à gérer les connexions SSL (SSLv3 en particulier).
            option ssl-hello-chk
            server panel3_https.in 192.168.236.50:443 check-ssl verify none ## send-proxy = option forwardfor
     
    Last edited: Dec 17, 2020
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So exactly what @nhybgtvfr said, you proxy port 80 on the front end to port 443 on the back end, resulting in clients talking http to an https server.
     
  9. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i'm also not convinced you can force http to https redirection there, (although you have that commented out currently)
    for ssl passthrough, it needs to be in tcp mode, so the packets 'pass through' haproxy completely unchanged, which won't be the case if the redirection is on, it's been a long time since i looked at any haproxy stuff, but i suspect that http/https redirection can only be used when the frontend is configured to use http mode, which would rule out using ssl pass-through.
     
    ahrasis likes this.
  10. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    as an afterthought, this could also explain your problems with requesting the letsencrypt certificates, which for obvious reasons needs to be started on port 80.
     
    ahrasis and Th0m like this.
  11. cremos

    cremos Member

    Indeed, the creation of the letsencrypt certificate is done on port 80. I must reconfigure my Haproxy for the TLS passthrough to work correctly.
    I am thinking of separating port 80 and 443 into two distinct sections
    then check and only accept TLS packets passing through port 443.
     
  12. cremos

    cremos Member

    Thank you again for your availability and your clarifications, after having reconfigured the haproxy the generation of certificates with Ispconfig works. Still, I still can't put a website in HTTP only. To be continued
     
    Last edited: Dec 17, 2020
  13. cremos

    cremos Member

    In the apache2 logs:
    Code:
    [Thu Dec 17 21:17:52.208567 2020] [ssl:info] [pid 25160] [client 194.254.103.140:55531] AH01964: Connection to child 23 established (server panel3.ac-amiens.fr:443)
    [Thu Dec 17 21:17:52.209062 2020] [ssl:debug] [pid 25160] ssl_engine_kernel.c(2374): [client 194.254.103.140:55531] AH02645: Server name not provided via TLS extension (using default/first virtual host)
    
     
  14. cremos

    cremos Member

    Hello.
    Can you tell me if this is normal behavior of Ispconfig? If I do not configure a website in HTTS with creation of the certificate plus the redirection from HTTP to HTTPS I get the error:
    Code:
    503 Service Unavailable
    No server is available to handle this request. 
    
    Cannot use a site in HTTP only mode without an HTTP to HTTPS redirect worm.
    Thank you in advance for your answers.
     
  15. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    bypass haproxy, create a new website in ispconfig, don't bother about any certs for it, don't create any http-https redirects.
    use a machine with a gui on the same subnet as the webserver, or vpn into that subnet. then put the domain name with the webservers physical ip into your local hosts file, and then try to browse the site using http.
    see what happens
    that way we'll know if it's a ispconfig problem or an haproxy problem.
     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The behavior is similar, if you redirect your site to https but have nothing listening on port 443, though the message is different. More common is there is another site already using port 443, so the wrong site loads. Your actual message comes from your haproxy setup.
     
  17. cremos

    cremos Member

    Hello !

    1/ Site labvirtual.ac-amiens.fr
    configuration in Ispconfig of the web domain:
    no SSL and Let's Encryp.
    no problem displaying the site in HTTP mode

    2/ Site labvirtual.ac-amiens.fr/robots.txt
    configuration in Ispconfig du Weof the web domain:
    with SSL and Let's Encrypt and activation of the Rewrite HTTP to HTTPS redirect.
    No problem displaying in HTTPS mode with the correct site certificate.

    3/ Site labvirtual.ac-amiens.fr/robots.txt
    configuration in Ispconfig of the web domain:
    with SSL and Let's Encrypt and without activation of the Rewrite HTTP to HTTPS redirection.
    No problem of displaying the site in HTTP and HTTPS mode

    I need to check the load times for sites that I find too long.
    1 / empty site default page (index.html): of Ispconfig site : https://gdmaths.dsden60.ac-amiens.fr/, loading time = 0.2 second, ,page size = 8.4 kB and queries = 1
    2 / website under wordpress: https://gdml.dsden60.ac-amiens.fr/ load time = 3.9 seconds, page size = 1353.1 kB and requests = 143

    When do you think ?

    I would like to sincerely thank you for the work you have done. Your help contributed a lot to the resolution of the problem (cause configuration of haproxy.
     

Share This Page