You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gianluca Gargiulo <gi...@ediconsul.it> on 2020/04/02 10:19:10 UTC
[users@httpd] http and https overlap in virtual host
Hi,
nice to partecipate to this list
I have a question:
i have many virtual-host on apache for http and https pointing same web application folder
/var/www/website1 --> /var/www/clients/client2/web1107/web
following this schema https://pastebin.com/raw/s6WacZzd
WebApplication has many domain list in db and impersonate that domains.
1) for http://website1.example.com and http://www.httpwebsite[1-1000].com there is this configuration
<Directory /var/www/website1>
AllowOverride None
Require all denied
</Directory>
<VirtualHost *:80>
DocumentRoot /var/www/clients/client2/web1107/web
ServerName website1.example.com
ServerAlias www.httpwebsite1.com
ServerAlias www.httpwebsite2.com
ServerAlias www.httpwebsite3.com
ServerAlias www.httpwebsite4.com
ServerAlias www.httpwebsite5.com
ServerAdmin webmaster@website1.example.com
ErrorLog /var/log/ispconfig/httpd/website1/error.log
<IfModule mod_ssl.c>
</IfModule>
<Directory /var/www/website1/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client2/web1107/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web1107 client2
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client2/web1107/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/website1/web>
<FilesMatch "\.php[345]?$">
SetHandler php-fcgi
</FilesMatch>
</Directory>
<Directory /var/www/clients/client2/web1107/web>
<FilesMatch "\.php[345]?$">
SetHandler php-fcgi
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1
FastCgiExternalServer /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1 -idle-timeout 300 -socket /var/lib/php7.0-fpm/web1107.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web1107.sock|fcgi://localhost//var/www/clients/client2/web1107/web/$1
<Directory /var/www/clients/client2/web1107/web>
<FilesMatch "\.php[345]?$">
SetHandler "proxy:unix:/var/lib/php7.0-fpm/web1107.sock|fcgi://localhost"
</FilesMatch>
</Directory>
</IfModule>
# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web1107 client2
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client2/web1107/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client2/web1107/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
/VirtualHost>
2) for https://website1.example.com i have another virtual host config file
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/clients/client2/web1107/web
ServerName website1.example.com
ServerAdmin webmaster@website1.example.com
ErrorLog /var/log/ispconfig/httpd/website1/error.log
<IfModule mod_ssl.c>
</IfModule>
<Directory /var/www/website1/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client2/web1107/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web1107 client2
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client2/web1107/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/website1/web>
<FilesMatch "\.php[345]?$">
SetHandler php-fcgi
</FilesMatch>
</Directory>
<Directory /var/www/clients/client2/web1107/web>
<FilesMatch "\.php[345]?$">
SetHandler php-fcgi
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1
FastCgiExternalServer /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1 -idle-timeout 300 -socket /var/lib/php7.0-fpm/web1107.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web1107.sock|fcgi://localhost//var/www/clients/client2/web1107/web/$1
<Directory /var/www/clients/client2/web1107/web>
<FilesMatch "\.php[345]?$">
SetHandler "proxy:unix:/var/lib/php7.0-fpm/web1107.sock|fcgi://localhost"
</FilesMatch>
</Directory>
</IfModule>
# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web1107 client2
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client2/web1107/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client2/web1107/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/website1.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/website1.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
3) for https://www.httpwebsite1.com i have another virtual host config file
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/clients/client2/web1107/web
ServerName www.httpwebsite1.com
ServerAdmin webmaster@httpwebsite1.com
ErrorLog /var/log/ispconfig/httpd/website1/error.log
<IfModule mod_ssl.c>
</IfModule>
<Directory /var/www/website1/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client2/web1107/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web1107 client2
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client2/web1107/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/website1/web>
<FilesMatch "\.php[345]?$">
SetHandler php-fcgi
</FilesMatch>
</Directory>
<Directory /var/www/clients/client2/web1107/web>
<FilesMatch "\.php[345]?$">
SetHandler php-fcgi
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1
FastCgiExternalServer /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1 -idle-timeout 300 -socket /var/lib/php7.0-fpm/web1107.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web1107.sock|fcgi://localhost//var/www/clients/client2/web1107/web/$1
<Directory /var/www/clients/client2/web1107/web>
<FilesMatch "\.php[345]?$">
SetHandler "proxy:unix:/var/lib/php7.0-fpm/web1107.sock|fcgi://localhost"
</FilesMatch>
</Directory>
</IfModule>
# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web1107 client2
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client2/web1107/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client2/web1107/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/www.httpwebsite1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.httpwebsite1.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
I user call http://website1.example.com apache serve web application on virtualhost1 and web application redirect to https://website1.example.com, than served by Virtualhost2
It's same with http://www.httpwebsite1.com served by virtualhost1: the web application redirect to https://www.httpwebsite1.com, thank served by VirtuaHost3
If i call http://www.httpwebsite2[2-1000], served by Virtulhost1 it's ok, but if i call https://www.httpwebsite[2-1000].com there is the issue. Apache serve user call by VirtualHost3 giving the VirtulHost3 ssl Certificate.
I'ts possible stop this Apache b ehavior?
Thanks
Gianluca Gargiulo
Re: [users@httpd] http and https overlap in virtual host
Posted by Stefan Eissing <st...@greenbytes.de>.
As far as I understand, you have
vhost1 *:443 siteA.com
vhost2 *:443 Zsize.com
If the definitions are included in this order, vhost1 is the default selection initially. Then the client host name is inspected (send via TLS as SNI). If it *matches* any other vhost, that vhost is then taken. Otherwise it stays on vhost1.
> Am 02.04.2020 um 12:19 schrieb Gianluca Gargiulo <gi...@ediconsul.it>:
>
> Hi,
>
> nice to partecipate to this list
> I have a question:
>
>
> i have many virtual-host on apache for http and https pointing same web application folder
>
> /var/www/website1 --> /var/www/clients/client2/web1107/web
>
> following this schema https://pastebin.com/raw/s6WacZzd
>
> WebApplication has many domain list in db and impersonate that domains.
>
>
> 1) for http://website1.example.com and http://www.httpwebsite[1-1000].com there is this configuration
>
>
> <Directory /var/www/website1>
> AllowOverride None
> Require all denied
> </Directory>
>
> <VirtualHost *:80>
>
> DocumentRoot /var/www/clients/client2/web1107/web
>
> ServerName website1.example.com
> ServerAlias www.httpwebsite1.com
> ServerAlias www.httpwebsite2.com
> ServerAlias www.httpwebsite3.com
> ServerAlias www.httpwebsite4.com
> ServerAlias www.httpwebsite5.com
> ServerAdmin webmaster@website1.example.com
>
>
> ErrorLog /var/log/ispconfig/httpd/website1/error.log
>
>
> <IfModule mod_ssl.c>
> </IfModule>
>
> <Directory /var/www/website1/web>
> # Clear PHP settings of this website
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
> SetHandler None
> </FilesMatch>
> Options +FollowSymLinks
> AllowOverride All
> Require all granted
> </Directory>
> <Directory /var/www/clients/client2/web1107/web>
> # Clear PHP settings of this website
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
> SetHandler None
> </FilesMatch>
> Options +FollowSymLinks
> AllowOverride All
> Require all granted
> </Directory>
> # suexec enabled
> <IfModule mod_suexec.c>
> SuexecUserGroup web1107 client2
> </IfModule>
> <IfModule mod_fastcgi.c>
> <Directory /var/www/clients/client2/web1107/cgi-bin>
> Require all granted
> </Directory>
> <Directory /var/www/website1/web>
> <FilesMatch "\.php[345]?$">
> SetHandler php-fcgi
> </FilesMatch>
> </Directory>
> <Directory /var/www/clients/client2/web1107/web>
> <FilesMatch "\.php[345]?$">
> SetHandler php-fcgi
> </FilesMatch>
> </Directory>
> Action php-fcgi /php-fcgi virtual
> Alias /php-fcgi /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1
> FastCgiExternalServer /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1 -idle-timeout 300 -socket /var/lib/php7.0-fpm/web1107.sock -pass-header Authorization -pass-header Content-Type
> </IfModule>
> <IfModule mod_proxy_fcgi.c>
> #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web1107.sock|fcgi://localhost//var/www/clients/client2/web1107/web/$1
> <Directory /var/www/clients/client2/web1107/web>
> <FilesMatch "\.php[345]?$">
> SetHandler "proxy:unix:/var/lib/php7.0-fpm/web1107.sock|fcgi://localhost"
> </FilesMatch>
> </Directory>
> </IfModule>
>
>
>
> # add support for apache mpm_itk
> <IfModule mpm_itk_module>
> AssignUserId web1107 client2
> </IfModule>
>
> <IfModule mod_dav_fs.c>
> # Do not execute PHP files in webdav directory
> <Directory /var/www/clients/client2/web1107/webdav>
> <ifModule mod_security2.c>
> SecRuleRemoveById 960015
> SecRuleRemoveById 960032
> </ifModule>
> <FilesMatch "\.ph(p3?|tml)$">
> SetHandler None
> </FilesMatch>
> </Directory>
> DavLockDB /var/www/clients/client2/web1107/tmp/DavLock
> # DO NOT REMOVE THE COMMENTS!
> # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
> # WEBDAV BEGIN
> # WEBDAV END
> </IfModule>
> /VirtualHost>
>
>
>
> 2) for https://website1.example.com i have another virtual host config file
>
>
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
>
> DocumentRoot /var/www/clients/client2/web1107/web
>
> ServerName website1.example.com
> ServerAdmin webmaster@website1.example.com
>
>
> ErrorLog /var/log/ispconfig/httpd/website1/error.log
>
>
> <IfModule mod_ssl.c>
> </IfModule>
> <Directory /var/www/website1/web>
> # Clear PHP settings of this website
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
> SetHandler None
> </FilesMatch>
> Options +FollowSymLinks
> AllowOverride All
> Require all granted
> </Directory>
> <Directory /var/www/clients/client2/web1107/web>
> # Clear PHP settings of this website
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
> SetHandler None
> </FilesMatch>
> Options +FollowSymLinks
> AllowOverride All
> Require all granted
> </Directory>
>
>
>
>
> # suexec enabled
> <IfModule mod_suexec.c>
> SuexecUserGroup web1107 client2
> </IfModule>
> <IfModule mod_fastcgi.c>
> <Directory /var/www/clients/client2/web1107/cgi-bin>
> Require all granted
> </Directory>
> <Directory /var/www/website1/web>
> <FilesMatch "\.php[345]?$">
> SetHandler php-fcgi
> </FilesMatch>
> </Directory>
> <Directory /var/www/clients/client2/web1107/web>
> <FilesMatch "\.php[345]?$">
> SetHandler php-fcgi
> </FilesMatch>
> </Directory>
> Action php-fcgi /php-fcgi virtual
> Alias /php-fcgi /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1
> FastCgiExternalServer /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1 -idle-timeout 300 -socket /var/lib/php7.0-fpm/web1107.sock -pass-header Authorization -pass-header Content-Type
> </IfModule>
> <IfModule mod_proxy_fcgi.c>
> #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web1107.sock|fcgi://localhost//var/www/clients/client2/web1107/web/$1
> <Directory /var/www/clients/client2/web1107/web>
> <FilesMatch "\.php[345]?$">
> SetHandler "proxy:unix:/var/lib/php7.0-fpm/web1107.sock|fcgi://localhost"
> </FilesMatch>
> </Directory>
> </IfModule>
>
>
>
> # add support for apache mpm_itk
> <IfModule mpm_itk_module>
> AssignUserId web1107 client2
> </IfModule>
>
> <IfModule mod_dav_fs.c>
> # Do not execute PHP files in webdav directory
> <Directory /var/www/clients/client2/web1107/webdav>
> <ifModule mod_security2.c>
> SecRuleRemoveById 960015
> SecRuleRemoveById 960032
> </ifModule>
> <FilesMatch "\.ph(p3?|tml)$">
> SetHandler None
> </FilesMatch>
> </Directory>
> DavLockDB /var/www/clients/client2/web1107/tmp/DavLock
> # DO NOT REMOVE THE COMMENTS!
> # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
> # WEBDAV BEGIN
> # WEBDAV END
> </IfModule>
>
> SSLCertificateFile /etc/letsencrypt/live/website1.example.com/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/website1.example.com/privkey.pem
> Include /etc/letsencrypt/options-ssl-apache.conf
> </VirtualHost>
> </IfModule>
>
>
>
>
> 3) for https://www.httpwebsite1.com i have another virtual host config file
>
>
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
>
> DocumentRoot /var/www/clients/client2/web1107/web
>
> ServerName www.httpwebsite1.com
> ServerAdmin webmaster@httpwebsite1.com
>
>
> ErrorLog /var/log/ispconfig/httpd/website1/error.log
>
>
> <IfModule mod_ssl.c>
> </IfModule>
>
> <Directory /var/www/website1/web>
> # Clear PHP settings of this website
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
> SetHandler None
> </FilesMatch>
> Options +FollowSymLinks
> AllowOverride All
> Require all granted
> </Directory>
> <Directory /var/www/clients/client2/web1107/web>
> # Clear PHP settings of this website
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
> SetHandler None
> </FilesMatch>
> Options +FollowSymLinks
> AllowOverride All
> Require all granted
> </Directory>
>
>
>
>
> # suexec enabled
> <IfModule mod_suexec.c>
> SuexecUserGroup web1107 client2
> </IfModule>
> <IfModule mod_fastcgi.c>
> <Directory /var/www/clients/client2/web1107/cgi-bin>
> Require all granted
> </Directory>
> <Directory /var/www/website1/web>
> <FilesMatch "\.php[345]?$">
> SetHandler php-fcgi
> </FilesMatch>
> </Directory>
> <Directory /var/www/clients/client2/web1107/web>
> <FilesMatch "\.php[345]?$">
> SetHandler php-fcgi
> </FilesMatch>
> </Directory>
> Action php-fcgi /php-fcgi virtual
> Alias /php-fcgi /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1
> FastCgiExternalServer /var/www/clients/client2/web1107/cgi-bin/php-fcgi-*-80-website1 -idle-timeout 300 -socket /var/lib/php7.0-fpm/web1107.sock -pass-header Authorization -pass-header Content-Type
> </IfModule>
> <IfModule mod_proxy_fcgi.c>
> #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web1107.sock|fcgi://localhost//var/www/clients/client2/web1107/web/$1
> <Directory /var/www/clients/client2/web1107/web>
> <FilesMatch "\.php[345]?$">
> SetHandler "proxy:unix:/var/lib/php7.0-fpm/web1107.sock|fcgi://localhost"
> </FilesMatch>
> </Directory>
> </IfModule>
>
>
>
> # add support for apache mpm_itk
> <IfModule mpm_itk_module>
> AssignUserId web1107 client2
> </IfModule>
>
> <IfModule mod_dav_fs.c>
> # Do not execute PHP files in webdav directory
> <Directory /var/www/clients/client2/web1107/webdav>
> <ifModule mod_security2.c>
> SecRuleRemoveById 960015
> SecRuleRemoveById 960032
> </ifModule>
> <FilesMatch "\.ph(p3?|tml)$">
> SetHandler None
> </FilesMatch>
> </Directory>
> DavLockDB /var/www/clients/client2/web1107/tmp/DavLock
> # DO NOT REMOVE THE COMMENTS!
> # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
> # WEBDAV BEGIN
> # WEBDAV END
> </IfModule>
>
> SSLCertificateFile /etc/letsencrypt/live/www.httpwebsite1.com/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/www.httpwebsite1.com/privkey.pem
> Include /etc/letsencrypt/options-ssl-apache.conf
> </VirtualHost>
> </IfModule>
>
>
> I user call http://website1.example.com apache serve web application on virtualhost1 and web application redirect to https://website1.example.com, than served by Virtualhost2
> It's same with http://www.httpwebsite1.com served by virtualhost1: the web application redirect to https://www.httpwebsite1.com, thank served by VirtuaHost3
> If i call http://www.httpwebsite2[2-1000], served by Virtulhost1 it's ok, but if i call https://www.httpwebsite[2-1000].com there is the issue. Apache serve user call by VirtualHost3 giving the VirtulHost3 ssl Certificate.
>
> I'ts possible stop this Apache behavior?
>
>
> Thanks
> Gianluca Gargiulo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org