http and https pointing to 2 different sites

Discussion in 'Installation/Configuration' started by LotNoMore, Apr 17, 2017.

  1. LotNoMore

    LotNoMore Member

    This is a bit strange for my single server ISPconfig setup (Ubuntu 16.10 and apache)...
    Everything working OK until I created a client for a friend (he was the first client I created as admin). I gave the server IP and he did something on his side with his domain registrar worldnic.com
    Then this morning I started to see strange behaviors with my sites such as angelright.com and angelrights.com - if I access them from HTTPS then I have no problem seeing what should be seen. However, if I access them from HTTP then both redirect to my friend's website fishcafe.org
    I did create my own private DNS ns1.angelright.com and ns2.angelright.com (pointing to the same server IP) and I could let him use these and hopefully that could solve the problem.
    But this still leaves a hole for others to hijack all my sites as one can easily find the site IP. I tried turning on Rewrite HTTP to HTTPS for domain resirect, but this does not help.
    So why this? How could I solve this problem?
     
  2. LotNoMore

    LotNoMore Member

    OK, I can replicate this with other sites. Basically, all domains with A records point to the server IP end up going to my friend's site!
    Haaaaa, very strange.
    I am testing site angelrite.com using my private DNS ns1.angelright.com and ns2.angelright.com - waiting for the new setting to be resolved, See what will happen.
    But right now the loop hole has to be fixed :-(
    My friend's site docoment root is /var/www/clients/client1/web4
     
  3. LotNoMore

    LotNoMore Member

    I wonder if it has something to do with DNS Zone settings.
    Initially, I did not set any DNS Zone and just created the first client, who was my friend. And then I created a bunch of my sites on the server.
    After some glitches here and there, I started to realize that I needed to set a DNS Zone and private DNS. So, setting DNS Zones after creating websites is the root of this problem?
    Do I have to set a DNS Zone for each website? I read and re-read the PDF manual many times, no where it says anything about the sequence of operations concerning website creation.
     
  4. LotNoMore

    LotNoMore Member

    I read some posts saying that one must create a domain zone before creating the first website. But what about the second and more websites? Creating a DNS Zone for each additional website before adding that website to server? Confused.
     
  5. LotNoMore

    LotNoMore Member

  6. LotNoMore

    LotNoMore Member

    Anyone who can help?
    Strange that I could not find any material to straighten this thing up.
     
    Last edited: Apr 18, 2017
  7. LotNoMore

    LotNoMore Member

  8. ahrasis

    ahrasis Active Member

    I think you don't need any dummy vhost if all your sites within the same ip are secured with https / ssl. I am not sure about Apache vhost settings, but in Nginx, to ensure all secured sites are going exactly to their address (domain) in the browsers, I enabled HSTS in their respective vhost via custom nginx vhost. This way, you won't be proposed or be able to continue to other site, rather than the address (domain) that you typed in your browsers.
     
  9. LotNoMore

    LotNoMore Member

    Great hint. Then how to do it with Apache?
    I wonder if it is a DNS Zone setting problem. As right now all sites being accessed via HTTP goes to the dummy site.
    Well, I have now removed all DNS Zones. Would that help?
    This drives me crazy!
     
    Last edited: Apr 18, 2017
  10. ahrasis

    ahrasis Active Member

    Check on how to do it in this discussion but don't forget to enable apache headers module (a2enmod headers) and redirect http to https (via control panel).

    The best way to automatically add HSTS line is via copying original vhost from conf folder to conf-custom folder and modify it by inserting that line inside the first <tmpl_if name='ssl_enabled'>. Rewrite to https also can be done in the same, if you know what you are doing.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I can see, https for this site is just not working, so you must see a different site then. This is not a problem with http to https redirect then nor DNS related Check the vhost file of the website to ensure that you really have a https section in it and check that there is no copy of the vhost file with .err ending which indicates that the config could not be written.
     
  12. ahrasis

    ahrasis Active Member

    Strange. At least two of the mentioned sites in the previous posts of which I tried to access do work fine i.e. https://angelrights.com and https://fishcafe.org. But I am no sure about the other two sites which one does not work (angelright.com) and the other is showing other site (worldnic.com).
     
  13. LotNoMore

    LotNoMore Member

    It turns out to be partly the DNS Zone problem - basically I have to use the DNS-Wizard to add a DNS Zone for each website I add in ISPconfig. Once I add a DNS Zone, then the website will show in HTTP access. Then I can create SSL and LE SSL for the site so that it can be accessed via HTTPS.
    But the problem remains... HTTP accesses to all websites display the 000dummy.com index.html page. See...
    https://angelrite.net - this displays the index.html correctly in its own folder
    http://angelrite.net - this displays the 000dummy.com index.html
    Very strange indeed. Why HTTP access is not working for ALL sites?
     
  14. LotNoMore

    LotNoMore Member

    Well, there is one EXCEPTON, the server domain atlmaster.angelright.com works in both HTTP and HTTPS - see...
    http://atlmaster.angelright.com
    https://atlmaster.angelright.com
    By checking the above, I find different browsers give different results. While Google Chrome and most browsers redirect to the HTTPS right away (this is what I want for all sites!), the Midori browser displays both without redirecting to HTTPS.
     
  15. ahrasis

    ahrasis Active Member

    I supposed that is the normal apache webserver behaviour for single ip if you do not redirect from http to https. I already explain in short if you want to enable HSTS and redirect in reply #10. It is up to you then.
     
  16. LotNoMore

    LotNoMore Member

    I wanted to do that but do not know how. Bill suggests to do it either by adding something into vhost master or do it individually through Apache Derectives for each website.
    My understanding is this file is vhost master: /usr/local/ispconfig/server/conf/vhost.conf.master Correct?
    Then I run these two commands:
    Code:
    a2enmod headers
    service apache2 restart
    But what to add in vhost master? This...
    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    or this...
    Code:
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
    
    Some suggests adding this for each website...
    Code:
    <If "%{HTTPS} == 'off'">
    Redirect permanent / https://somedomain.com/
    </If>
    <If "%{HTTPS} == 'on'">
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    </If>
    I tried some of the above but CONFUSED!
     
  17. ahrasis

    ahrasis Active Member

    No. You do not modify the original but make a copy of it to custom folder something like this: cp -a /usr/local/ispconfig/server/conf/vhost.conf.master /usr/local/ispconfig/server/conf-custom/vhost.conf.master

    Then you edit the copied file: nano /usr/local/ispconfig/server/conf-custom/vhost.conf.master

    In there under the first <tmpl_if name='ssl_enabled'> there are lines for HSTS already which you can uncomment (remove #) to enable it and modify if you like:
    Code:
            # <IfModule mod_headers.c>
            # Header always add Strict-Transport-Security "max-age=15768000"
            # </IfModule>
    Instead of "max-age=15768000" you can use the suggested "max-age=15768000; includeSubDomains; preload".

    Lastly, you can add this modified code of yours above ServerAdmin [email protected]<tmpl_var name='domain'> to automate redirect to https:
    Code:
    <If "%{HTTPS} == 'off'">
    Redirect permanent / https://<tmpl_var name='domain'>/
    </If>
     
  18. LotNoMore

    LotNoMore Member

    OK, the odd thing is, like Till said, ISPconfig has built these inside. So why not do everything through ISPconfig? I am confused about the two options below. This?
    [​IMG]
    Or this...
    [​IMG]
     
  19. LotNoMore

    LotNoMore Member

    OK, I see this in the copied custom vhost master file...
     
  20. LotNoMore

    LotNoMore Member

    Ahrasis, I tried what you suggested, enabled headers (already enabled) and then restart apache2, did not work. Here is my custom vhost master...
    Code:
    </tmpl_if>
    # https://www.howtoforge.com/community/threads/http-and-https-pointing-to-2-different-sites.76165/#post-359111
    <If "%{HTTPS} == 'off'">
    Redirect permanent / https://<tmpl_var name='domain'>/
    </If>
    # custom addition ends
                    ServerAdmin [email protected]<tmpl_var name='domain'>
    
                    ErrorLog /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log
    
    <tmpl_if name='errordocs'>
                    Alias /error/ "<tmpl_var name='web_document_root_www'>/error/"
                    ErrorDocument 400 /error/400.html
                    ErrorDocument 401 /error/401.html
                    ErrorDocument 403 /error/403.html
                    ErrorDocument 404 /error/404.html
                    ErrorDocument 405 /error/405.html
                    ErrorDocument 500 /error/500.html
                    ErrorDocument 502 /error/502.html
                    ErrorDocument 503 /error/503.html
    </tmpl_if>
    
                    <IfModule mod_ssl.c>
    <tmpl_if name='ssl_enabled'>
                    SSLEngine on
                    SSLProtocol All -SSLv2 -SSLv3
                    # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-E$
                    SSLHonorCipherOrder     on
                    <IfModule mod_headers.c>
    # https://www.howtoforge.com/community/threads/http-and-https-pointing-to-2-different-sites.76165/#post-359111
                    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    # Custom modified ends here
                    </IfModule>
    
     

Share This Page