Jump to content
The Uniform Server Community
Sign in to follow this  
grabby

ssl configuration

Recommended Posts

I’m trying to set up a local test environment on XP for a site that was in production on a linux server. It’s an ecommerce site using Drupal and its Secure Pages module, which allowed certain pages to redirect to https versions. I installed the site in www/mysite by creating a virtual host for mysite.com and generated a certificate. The non-secure part of the site works fine, but the secure pages aren’t getting served (404). I modified ssl.conf to point to the www directory since that’s where the site is located, but this didn’t help. I also tried putting the whole site in the ssl directory, but nothing changed – the non-secure part worked and the secure part wasn’t served. When I click “View ssl” it gives me the index page for www, or ssl when I tried it there. I’m stuck and would appreciate any help with this!

Share this post


Link to post
Share on other sites

First off, what VERSION of The Uniform Server are you using? This makes a BIG difference in what to look for.

 

There are a number of factors here to look at. You "confused" things a bit by setting up both ssl AND vhosts. I've never tried that combo, so bear with me. Note that in reality, ssl is a special case vhost. It still should work.

 

Check the vhosts portion of the httpd.conf file (at the end). This is the most likely area for the problem.

 

Check your HOSTS file. It needs the following entry:

127.0.0.1 mysite.com

Probably this is okay, depending on The Uniform Server version.

 

I suggest that if you want to see the live site and also test with The Uniform Server that you DON'T use the exact same site name. So if your production site is mysite,com, use mysite.org, for example.

 

I'm going to set this up on a VM to see what's needed. I'm going to use 7-Orion to begin.

 

Regards,

BobS

Share this post


Link to post
Share on other sites

Hi Bob,

 

Thanks for the reply. I’m running Coral 8.0.0. There’s no problem with the hosts file, as it has

 

127.0.0.1 mysite.com

 

listed. If this hadn’t been there I don’t think the non-secure part of the site would have worked. The end of my httpd.conf looks like this

 

##====== VIRTUAL HOST ===========

#To enable uncomment next line

 

Include conf/extra/httpd-vhosts.conf

 

### Section 4: Secure section

 

# Secure (SSL/TLS) connections

# Include conf/ssl.conf

#

# Note: The following must must be present to support

# starting without SSL on platforms with no /dev/random equivalent

# but a statically compiled-in mod_ssl.

#

#<IfModule ssl_module>

# SSLRandomSeed startup builtin

# SSLRandomSeed connect builtin

#</IfModule>

 

# Distributed authoring and versioning (WebDAV)

#Include conf/extra/httpd-dav.conf

 

<IfModule mod_ssl.c>

Include conf/extra/ssl.conf

</IfModule>

 

 

My httpd-vhosts is as follows:

 

<VirtualHost _default_:80>

DocumentRoot D:/UniServer/www

ServerName localhost

ErrorLog "logs/error.log"

CustomLog "logs/access.log" common

</VirtualHost>

 

<VirtualHost *:80>

ServerAdmin webmaster@mysite.com

DocumentRoot D:/UniServer/www/mysite

ServerName mysite.com

ServerAlias www.mysite.com *.mysite.com

ErrorLog logs/mysite.com-error.log

CustomLog logs/mysite.com-access.log common

</VirtualHost>

 

 

Another thing I don’t understand exactly is that when I go to

 

https://mysite.com/

 

I get the UniServer index page in the www directory whereas when I go to

 

http://mysite.com/

 

I get my site’s front page, which isn’t secure. Thanks for helping to investigate this!

Share this post


Link to post
Share on other sites

Hi Bob,

 

Thanks for the reply. I’m running Coral 8.0.0.....

 

The first thing you would do is to move your vhosts folder and sites off of the www folder and update your vhosts path.

 

Uniserver/www/

Uniserver/vhost/mysite1

Uniserver/vhost/mysite2

 

Open Uniserver/usr/local/apache2/conf/httpd.conf and towards the end you should have your Virtual Host configuration... make sure it reads as folow:

 

##====== VIRTUAL HOST ===========

Include conf/extra/httpd-vhosts.conf

<IfModule mod_ssl.c>
Include conf/extra/ssl.conf
</IfModule>

 

That's it! There is no need to mess with your httpd.conf anymore. Everything else will be managed from the /extra/vhosts.conf & /extra/ssl.conf (loving its simplicity :) )

 

Open vhosts.conf and edit as needed...

 

 

 

#BEFORE NAMEVIRTUALHOST
<Directory "C:/UniServer/vhosts">
Order Deny,Allow
Allow from all
</Directory>

#NOW YOUR VIRTUAL HOST DECLARATION
#--US_START--------------Do not remove
NameVirtualHost *:80
#--US_END----------------Do not remove
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
<VirtualHost *:80>
DocumentRoot C:/UniServer/www
ServerName localhost
 ServerAlias localhost
 ErrorLog "logs/error.log"
 CustomLog "logs/access.log" common
</VirtualHost>


<VirtualHost *:80>
 ServerAdmin webmaster@mysite1.com
 DocumentRoot C:/UniServer/vhosts/mysite1
 ServerName mysite1.com
 ServerAlias mysite1.com
 ErrorLog logs/mysite1.com.log
 CustomLog logs/mysite1.com-access.log common
</VirtualHost>

 

Open ssl.conf and edit as needed...

 

########### SSL Virtual Host ############################

NameVirtualHost *:443
<VirtualHost _default_:443>

ServerName localhost
DocumentRoot C:/UniServer/vhosts/mysite1
ServerAdmin webmaster@mysite1.com

ErrorLog logs/error_ssl.log
TransferLog logs/access_ssl.log

#== SSL Engine Switch:
SSLEngine on
SSLOptions +StrictRequire

#== SSL Cipher Suite:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

#== Server Certificate:
SSLCertificateFile C:/UniServer/usr/local/apache2/server_certs/server.crt

#== Server Private Key:
SSLCertificateKeyFile C:/UniServer/usr/local/apache2/server_certs/server.key

#== StartSSL certificate chain for class 1 certificates
# Disable when using a self-signed certificate
# Enable remove # disable add #

#SSLCertificateChainFile C:/UniServer/usr/local/apache2/server_certs/sub.class1.server.ca.pem
#SSLCACertificateFile	C:/UniServer/usr/local/apache2/server_certs/ca.pem

SSLVerifyClient none
SSLProxyEngine off

#== Server Root folder:
<Directory "C:/UniServer/ssl"> 
 AllowOverride All
 Order allow,deny 
 Allow from all
 SSLRequireSSL
</Directory> 


#== Most problems of broken clients are related to the HTTP
# keep-alive facility. Disable keep-alive for those clients.
SetEnvIf User-Agent ".*MSIE.*" \
	 nokeepalive ssl-unclean-shutdown \
	 downgrade-1.0 force-response-1.0
</VirtualHost>								  

########################SUBDOMAIN SAMPLE ############
<VirtualHost *:443>
	ServerAdmin admin@mysite1.com
	ServerName subdomain.mysite1.com 
	ServerAlias *.mysite1.com
	DocumentRoot C:/UniServer/vhosts/mysite1/subdomain
	ErrorLog logs/error_ssl.log
	TransferLog logs/access_ssl.log
	SSLEngine On
	SSLOptions +StrictRequire
	#== SSL Cipher Suite:
	SSLProtocol -all +TLSv1 +SSLv3
	SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
	SSLCertificateFile C:/UniServer/usr/local/apache2/server_certs/server.crt
	SSLCertificateKeyFile C:/UniServer/usr/local/apache2/server_certs/server.key
	SSLVerifyClient none
	SSLProxyEngine off		
</VirtualHost>

 

Hope this help

Share this post


Link to post
Share on other sites

Wow! Thanks, Yoni!

 

That should help grabby a lot.

 

I'm still going to do this test myself, but I think you've put your finger on his problem.

 

Regards,

BobS

Share this post


Link to post
Share on other sites

Hi Yoni,

 

Bob’s right, it sure helped a lot, everything’s working perfectly! Now I’m going to get greedy and try to set up another partially secure site in the same installation, but I don’t see why it shouldn’t work, at least in this dev setup I’m working in. Thanks again!

Share this post


Link to post
Share on other sites

Hi Yoni,

 

Bob’s right, it sure helped a lot, everything’s working perfectly! Now I’m going to get greedy and try to set up another partially secure site in the same installation, but I don’t see why it shouldn’t work, at least in this dev setup I’m working in. Thanks again!

Awesome! Glad you figured it out.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...