ssl configuration

[grabby]

I’m trying to set up a local test environment on XP for a site that was in production on a linux server. It’s an ecommerce site using Drupal and its Secure Pages module, which allowed certain pages to redirect to https versions. I installed the site in www/mysite by creating a virtual host for mysite.com and generated a certificate. The non-secure part of the site works fine, but the secure pages aren’t getting served (404). I modified ssl.conf to point to the www directory since that’s where the site is located, but this didn’t help. I also tried putting the whole site in the ssl directory, but nothing changed – the non-secure part worked and the secure part wasn’t served. When I click “View ssl” it gives me the index page for www, or ssl when I tried it there. I’m stuck and would appreciate any help with this!

[BobS]

First off, what VERSION of The Uniform Server are you using? This makes a BIG difference in what to look for.

 

There are a number of factors here to look at. You "confused" things a bit by setting up both ssl AND vhosts. I've never tried that combo, so bear with me. Note that in reality, ssl is a special case vhost. It still should work.

 

Check the vhosts portion of the httpd.conf file (at the end). This is the most likely area for the problem.

 

Check your HOSTS file. It needs the following entry:

127.0.0.1 mysite.com

Probably this is okay, depending on The Uniform Server version.

 

I suggest that if you want to see the live site and also test with The Uniform Server that you DON'T use the exact same site name. So if your production site is mysite,com, use mysite.org, for example.

 

I'm going to set this up on a VM to see what's needed. I'm going to use 7-Orion to begin.

 

Regards,

BobS

[grabby]

Hi Bob,

 

Thanks for the reply. I’m running Coral 8.0.0. There’s no problem with the hosts file, as it has

 

127.0.0.1 mysite.com

 

listed. If this hadn’t been there I don’t think the non-secure part of the site would have worked. The end of my httpd.conf looks like this

 

##====== VIRTUAL HOST ===========

#To enable uncomment next line

 

Include conf/extra/httpd-vhosts.conf

 

### Section 4: Secure section

 

# Secure (SSL/TLS) connections

# Include conf/ssl.conf

#

# Note: The following must must be present to support

# starting without SSL on platforms with no /dev/random equivalent

# but a statically compiled-in mod_ssl.

#

#<IfModule ssl_module>

# SSLRandomSeed startup builtin

# SSLRandomSeed connect builtin

#</IfModule>

 

# Distributed authoring and versioning (WebDAV)

#Include conf/extra/httpd-dav.conf

 

<IfModule mod_ssl.c>

Include conf/extra/ssl.conf

</IfModule>

 

 

My httpd-vhosts is as follows:

 

<VirtualHost _default_:80>

DocumentRoot D:/UniServer/www

ServerName localhost

ErrorLog "logs/error.log"

CustomLog "logs/access.log" common

</VirtualHost>

 

<VirtualHost *:80>

ServerAdmin webmaster@mysite.com

DocumentRoot D:/UniServer/www/mysite

ServerName mysite.com

ServerAlias www.mysite.com *.mysite.com

ErrorLog logs/mysite.com-error.log

CustomLog logs/mysite.com-access.log common

</VirtualHost>

 

 

Another thing I don’t understand exactly is that when I go to

 

https://mysite.com/

 

I get the UniServer index page in the www directory whereas when I go to

 

http://mysite.com/

 

I get my site’s front page, which isn’t secure. Thanks for helping to investigate this!

[Yoni]

Hi Bob,

 

Thanks for the reply. I’m running Coral 8.0.0.....

 

The first thing you would do is to move your vhosts folder and sites off of the www folder and update your vhosts path.

 

Uniserver/www/

Uniserver/vhost/mysite1

Uniserver/vhost/mysite2

 

Open Uniserver/usr/local/apache2/conf/httpd.conf and towards the end you should have your Virtual Host configuration... make sure it reads as folow:

 

##====== VIRTUAL HOST ===========

Include conf/extra/httpd-vhosts.conf

<IfModule mod_ssl.c>
Include conf/extra/ssl.conf
</IfModule>

 

That's it! There is no need to mess with your httpd.conf anymore. Everything else will be managed from the /extra/vhosts.conf & /extra/ssl.conf (loving its simplicity )

 

Open vhosts.conf and edit as needed...

 

 

 

#BEFORE NAMEVIRTUALHOST
<Directory "C:/UniServer/vhosts">
Order Deny,Allow
Allow from all
</Directory>

#NOW YOUR VIRTUAL HOST DECLARATION
#--US_START--------------Do not remove
NameVirtualHost *:80
#--US_END----------------Do not remove
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
DocumentRoot C:/UniServer/www
ServerName localhost
 ServerAlias localhost
 ErrorLog "logs/error.log"
 CustomLog "logs/access.log" common
</VirtualHost>


<VirtualHost *:80>
 ServerAdmin webmaster@mysite1.com
 DocumentRoot C:/UniServer/vhosts/mysite1
 ServerName mysite1.com
 ServerAlias mysite1.com
 ErrorLog logs/mysite1.com.log
 CustomLog logs/mysite1.com-access.log common
</VirtualHost>

 

Open ssl.conf and edit as needed...

 

########### SSL Virtual Host ############################

NameVirtualHost *:443
<VirtualHost _default_:443>

ServerName localhost
DocumentRoot C:/UniServer/vhosts/mysite1
ServerAdmin webmaster@mysite1.com

ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log

#== SSL Engine Switch:
SSLEngine on
SSLOptions +StrictRequire

#== SSL Cipher Suite:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

#== Server Certificate:
SSLCertificateFile C:/UniServer/usr/local/apache2/server_certs/server.crt

#== Server Private Key:
SSLCertificateKeyFile C:/UniServer/usr/local/apache2/server_certs/server.key

#== StartSSL certificate chain for class 1 certificates
# Disable when using a self-signed certificate
# Enable remove # disable add #

#SSLCertificateChainFile C:/UniServer/usr/local/apache2/server_certs/sub.class1.server.ca.pem
#SSLCACertificateFile	C:/UniServer/usr/local/apache2/server_certs/ca.pem

SSLVerifyClient none
SSLProxyEngine off

#== Server Root folder:
<Directory "C:/UniServer/ssl"> 
 AllowOverride All
 Order allow,deny 
 Allow from all
 SSLRequireSSL
</Directory> 


#== Most problems of broken clients are related to the HTTP
# keep-alive facility. Disable keep-alive for those clients.
SetEnvIf User-Agent ".*MSIE.*" \
	 nokeepalive ssl-unclean-shutdown \
	 downgrade-1.0 force-response-1.0
</VirtualHost>								  

########################SUBDOMAIN SAMPLE ############
<VirtualHost *:443>
	ServerAdmin admin@mysite1.com
	ServerName subdomain.mysite1.com 
	ServerAlias *.mysite1.com
	DocumentRoot C:/UniServer/vhosts/mysite1/subdomain
	ErrorLog logs/error_ssl.log
	TransferLog logs/access_ssl.log
	SSLEngine On
	SSLOptions +StrictRequire
	#== SSL Cipher Suite:
	SSLProtocol -all +TLSv1 +SSLv3
	SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
	SSLCertificateFile C:/UniServer/usr/local/apache2/server_certs/server.crt
	SSLCertificateKeyFile C:/UniServer/usr/local/apache2/server_certs/server.key
	SSLVerifyClient none
	SSLProxyEngine off		
</VirtualHost>

 

Hope this help

[BobS]

Wow! Thanks, Yoni!

 

That should help grabby a lot.

 

I'm still going to do this test myself, but I think you've put your finger on his problem.

 

Regards,

BobS

[grabby]

Hi Yoni,

 

Bob’s right, it sure helped a lot, everything’s working perfectly! Now I’m going to get greedy and try to set up another partially secure site in the same installation, but I don’t see why it shouldn’t work, at least in this dev setup I’m working in. Thanks again!

[Yoni]

Hi Yoni,

 

Bob’s right, it sure helped a lot, everything’s working perfectly! Now I’m going to get greedy and try to set up another partially secure site in the same installation, but I don’t see why it shouldn’t work, at least in this dev setup I’m working in. Thanks again!

Awesome! Glad you figured it out.