Error 400 on non-ssl (port 80) traffic.

Discussion in 'Installation/Configuration' started by xenlab, Aug 23, 2006.

  1. xenlab

    xenlab New Member HowtoForge Supporter

    I'm stumped, and my google and forum searching have not yeilded any results.

    I'm using ubutntu 6.0.6, apache2, php5, mod_ssl, etc... the whole bit (perfect how-to from this site). I however, did NOT install ISP-Config, nor want to.

    When I visit my site in ssl mode, the page pulls up just fine. When I visit in http/non-ssl mode I get a 400 Error. Even stranger, it's not putting anything in the error / access logs for me to go on. I imagine that the site in question is set for only SSL traffic, and because I'm not sending an SSL-Request along with the rest of the HTTP header, I'm getting this "Bad Request!" Error 400.

    Here's my VirtualHost config:
    Code:
    
    NameVirtualHost *
    <VirtualHost *>
            ServerAdmin [email protected]
    
            DocumentRoot /home/www/example.com/htdocs
    
    <IfModule mod_ssl.c>
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog /var/log/apache2/ssl_access.log \
       "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </IfModule>
    
            <Directory />
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
            ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
            <Directory "/usr/lib/cgi-bin">
                    AllowOverride None
                    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                    Order allow,deny
                    Allow from all
            </Directory>
    
            ErrorLog /var/log/apache2/error.log
    
            # Possible values include: debug, info, notice, warn, error, crit,
            # alert, emerg.
            LogLevel warn
    
            CustomLog /var/log/apache2/access.log combined
            ServerSignature email
    
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
            Order deny,allow
            Deny from all
            Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
    </VirtualHost>
    
    Has anyone seen this problem? What can I do to fix it?

    Thanks in advance!
     
  2. falko

    falko Super Moderator ISPConfig Developer

    What happens when you remove/comment out this stanza:

    Code:
    <IfModule mod_ssl.c>
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog /var/log/apache2/ssl_access.log \
       "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </IfModule>
    and restart Apache?

    There's nothing in /var/log/apache2/error.log?
     
  3. xenlab

    xenlab New Member HowtoForge Supporter

    OK, commenting it out allows port 80 traffic, but then throws this error for https:
    Code:
    Alert
    
    example.com has sent an incorrect or unexpected message. Error Code: -12263
    Subsequent refreshes give me the "Connection Interrupted" message in firefox.

    This is what showed in the error.log (for the above operations, there was still nothing there for the port 80 traffic with that apache block enabled, which is strange to me).

    Code:
    [error] [client xxx.xxx.xxx.xxx] mod_security: Access denied with code 500. Pattern match "^$" at HEADER [uri ""]
    Now, I'm wondering if it's just that the header is malformed because of mod_ssl is not configured correctly (or turned on, as commenting that block out turned it off) and mod_security is just doing it's job -- of if with that block turned off, mod_security is messing things up. I tend to lean towards the former.

    Thanks for your help, falko.
     
  4. falko

    falko Super Moderator ISPConfig Developer

    You should either deactivate mod_security for now or change the mod_security rules until you get your vhost running on port 80.
     
  5. xenlab

    xenlab New Member HowtoForge Supporter

    Thanks for the help falko.

    I ended up having to rebuild the server (installing bastille from apt-get hosed it up).

    after rebuilding it, i tried a different route:
    1. I installed a more conserative rule list for mod_security
    2. i used the apache2-ssl-certificate to generate .pem file instead of manually creating all of the .crt .key, etc. files
    3. I placed the same SSL config in the 000-default file of the Virtual Host directive, and didn't wrap it in <IfModule mod_ssl.c> tags

    restarted apache, and tested both http and https and they both work.

    here's the links that helped me the 2nd time around:
    http://www.debianhelp.co.uk/apacheinstall.htm
    http://forums.debian.net/viewtopic.php?t=3635&sid=....(shortened)
     
  6. xenlab

    xenlab New Member HowtoForge Supporter

    error came back today. the only thing new on the server is ruby and ruby on rails related stuff (to get instiki up and running).

    i can confirm that when i enable or disable the SSLEngine On stuff in the vhosts file, that http traffic resumes just fine.

    i'm going to keep at it, but figured I'd through it back up here. btw, I disabled mod-security all together, and it doesn't seem to be affecting it.
     
  7. xenlab

    xenlab New Member HowtoForge Supporter

    ahha! here's more info. I disabled the ErrorDocument for the 400 error, and it told me this instead of the normal Bad Request error:

    Your browser sent a request that this server could not understand.
    Reason: You're speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please.

    - - - -

    So how can I tell apache to server the same content for http or https, and to turn on ssl when https is present?

    And why did it work before just fine?
     
  8. xenlab

    xenlab New Member HowtoForge Supporter

    Well, here was one way around it....

    I copied my /etc/apache2/sites-enabled/000-default file to /etc/apache2/sites-enabled/000-default.ssl

    changed NameServer * to NameServer *:80 and NameServer *:443
    changed Virtualhost * to Virtualhost *:80 / NameServer *:443 (depending on the file obviously... all the SSL stuff went in to the .ssl file).

    And removed the SSLEngine On block from the 000-default file.

    Now it's serving up both again.
    ---
    Is there a way to do this without duplicating the vhosts directives? It's a little messy having it the way it is.
     
  9. falko

    falko Super Moderator ISPConfig Developer

    You need two vhosts, one for port 80 and one for port 443.
     
  10. samb057

    samb057 New Member

    an idea

    i was having this error 12263 problem too for a while. the problem for me was that i had two vhosts under :443, but only one of them had ssl directives in it. when i put sslengine on, etc. in the other one, it started working.
     

Share This Page