You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jorge Medina <jm...@e-dialog.com> on 2009/10/26 19:54:32 UTC

[users@httpd] Enabling HTTP and HTTPs

I am using Apache 2.2 and I am using a test certificate signed by my internal CA. I am not using Virtual Hosts.

Sometime ago I went over a whole set of changes on my server configuration to enable HTTPs (SSL).
At that point, I disabled HTTP on the server. Any request on port 80 gets a page indicating that HTTPS is required.

Now I want to also enable HTTP without disabling HTTPs. But I can't figure how to enable both.

I originally had
    SSLOptions +StrictRequire
I commented that out, but no success.

I also had:

<Directory />
  SSLRequireSSL
</Directory>

I also commented that out, but again, no success. Apache tells me that I require HTTPS.

I also have another <directory> section as shown below.  This segment is before my Include directive to my http-ssl.conf

<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

What else should I look at ? I can't find any other relevant sections of the configuration file  that may affect the behavior.


-Jorge

RE: [users@httpd] Enabling HTTP and HTTPs

Posted by Jorge Medina <jm...@e-dialog.com>.

Thank you! A colleage just told me the same.
I need  VirtualHosts to be able to configure HTTP and HTTPS for the same server.

-Jorge


-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Monday, October 26, 2009 4:01 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Enabling HTTP and HTTPs

Jorge Medina wrote:
> Right. I have two Listen directives
> 
> Listen 80  http
> Listen 443 https
> 
> The page I would assume that the page I get is generated by the mod_ssl module. It looks something like this:
> 
Allright, that clears one mystery, and I learned something (I did not know that mod_ssl was doing that; smart little module).

Now the next mystery to me, is how, without VirtualHosts, you can set up a server to answer different pages under HTTP and HTTPS at the same time.
(That is how you say you had it configured, before you removed HTTP).

Fortunately, there seems to be a HowTo specifically for that.
See http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
(the last one)

The other way I could think of would be to use virtual hosts, like

Listen 80 HTTP
Listen 443 HTTPS

NameVirtualHost *:80
<VirtualHost *:80>
...
</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
... (SSL-based config)
</VirtualHost>

(But that is really a hack, and works only with 1 single HTTPS VirtualHost).

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by André Warnier <aw...@ice-sa.com>.

André Warnier wrote:
...
and there are also some interesting tidbits here :

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html

See for example :
How can I switch between HTTP and HTTPS in relative hyperlinks?

(I did not know this either; it's good to read the fine documentation 
sometimes).

Anyway, I think with all these bits, it should not be too hard to work 
backwards and find your previous HTTP+HTTPS configuration again (or 
maybe invent a brand-new and even better one).



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by Krist van Besien <kr...@gmail.com>.

On Tue, Oct 27, 2009 at 11:15 AM, André Warnier <aw...@ice-sa.com> wrote:

> Well, kind of, but one could argue about this. ;-)
> It seems to me that we are just at the grey line in-between here.
> Maybe I should have added one more HTTP VirtualHost in my example, just to
> settle it.

It doesn't harm to have this NameVirtualHost directive. But it isn't
needed either. Hence my remark.

Alls NameVirtualHost does is tell the server to look at the Server
header when receiving requests on the IP/Port combination mentioned,
in order to distinguish between different virtualhosts on the same
IP/Port.
 When you only have one virtualhost on the IP/Port combination you
thus don't need this directive.
Since you will normally only have one Virtualhost on the IP/Port
combination you use for HTTPS you don't need the NameVirtualHost
statement. Unless you are bleeding edge re SSL...

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by André Warnier <aw...@ice-sa.com>.

Tom Evans wrote:
> On Tue, 2009-10-27 at 07:28 +0100, André Warnier wrote:
>> Krist van Besien wrote:
>>> On Mon, Oct 26, 2009 at 9:01 PM, André Warnier <aw...@ice-sa.com> wrote:
>>>> The other way I could think of would be to use virtual hosts, like
>>>>
>>>> Listen 80 HTTP
>>>> Listen 443 HTTPS
>>>>
>>>> NameVirtualHost *:80
>>>> <VirtualHost *:80>
>>>> ...
>>>> </VirtualHost>
>>>>
>>>> NameVirtualHost *:443
>>>> <VirtualHost *:443>
>>>> ... (SSL-based config)
>>>> </VirtualHost>
>>> You don't need the NameVirtualHost directives.
>> Uh ?
>> "If name-based vhosts should be used a NameVirtualHost directive /must/ 
>> appear with the IP address set to be used for the name-based vhosts. In 
>> other words, you must specify the IP address that holds the hostname 
>> aliases (CNAMEs) for your name-based vhosts via a NameVirtualHost 
>> directive in your configuration file."
>>
>> http://httpd.apache.org/docs/2.2/vhosts/details.html
>>
>>
> 
> But if you only have two vhosts, and each of them on a different port,
> then you would not need them to be name based vhosts, and that entire
> paragraph is moot :)
> 
> Without the NameVirtualHost directives, it is just a simple IP based
> virtual host.
> 
Well, kind of, but one could argue about this. ;-)
It seems to me that we are just at the grey line in-between here.
Maybe I should have added one more HTTP VirtualHost in my example, just 
to settle it.

It's not really IP-based virtual hosts either, because there is no 
distinction on IP address here.  If there were several IPs to this 
(physical) host, it would treat requests on any of them equally.

I'm not quite sure about this last paragraph.  I think there might be 
problems with certificates linked to different IP addresses.  But since 
I'm no SSL expert either, I'm not even sure if SSL certificates are 
linked to IP addresses, or just to hostnames.

To answer Kris :
I know it does not really "work", that's why I mentioned it as a hack. 
But it will default for HTTPS to the one and only <VirtualHost *:443>, 
so it will kinda appear to work for practical purposes.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by Tom Evans <te...@googlemail.com>.

On Tue, 2009-10-27 at 07:28 +0100, André Warnier wrote:
> Krist van Besien wrote:
> > On Mon, Oct 26, 2009 at 9:01 PM, André Warnier <aw...@ice-sa.com> wrote:
> >> The other way I could think of would be to use virtual hosts, like
> >>
> >> Listen 80 HTTP
> >> Listen 443 HTTPS
> >>
> >> NameVirtualHost *:80
> >> <VirtualHost *:80>
> >> ...
> >> </VirtualHost>
> >>
> >> NameVirtualHost *:443
> >> <VirtualHost *:443>
> >> ... (SSL-based config)
> >> </VirtualHost>
> > 
> > You don't need the NameVirtualHost directives.
> 
> Uh ?
> "If name-based vhosts should be used a NameVirtualHost directive /must/ 
> appear with the IP address set to be used for the name-based vhosts. In 
> other words, you must specify the IP address that holds the hostname 
> aliases (CNAMEs) for your name-based vhosts via a NameVirtualHost 
> directive in your configuration file."
> 
> http://httpd.apache.org/docs/2.2/vhosts/details.html
> 
> 

But if you only have two vhosts, and each of them on a different port,
then you would not need them to be name based vhosts, and that entire
paragraph is moot :)

Without the NameVirtualHost directives, it is just a simple IP based
virtual host.

Cheers

Tom


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by Krist van Besien <kr...@gmail.com>.

On Tue, Oct 27, 2009 at 7:28 AM, André Warnier <aw...@ice-sa.com> wrote:
> Krist van Besien wrote:
>>
>> On Mon, Oct 26, 2009 at 9:01 PM, André Warnier <aw...@ice-sa.com> wrote:
>>>
>>> The other way I could think of would be to use virtual hosts, like
>>>
>>> Listen 80 HTTP
>>> Listen 443 HTTPS
>>>
>>> NameVirtualHost *:80
>>> <VirtualHost *:80>
>>> ...
>>> </VirtualHost>
>>>
>>> NameVirtualHost *:443
>>> <VirtualHost *:443>
>>> ... (SSL-based config)
>>> </VirtualHost>
>>
>> You don't need the NameVirtualHost directives.
>
> Uh ?
> "If name-based vhosts should be used a NameVirtualHost directive /must/
> appear with the IP address set to be used for the name-based vhosts. In
> other words, you must specify the IP address that holds the hostname aliases
> (CNAMEs) for your name-based vhosts via a NameVirtualHost directive in your
> configuration file."

But you are not using name based virtualhosts here. Not if you have
only one virtualhost on port 80, and anothre one on port 443.
Namevirtualhosts don't work (yet) for https anyway.

Krist


-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by André Warnier <aw...@ice-sa.com>.

Krist van Besien wrote:
> On Mon, Oct 26, 2009 at 9:01 PM, André Warnier <aw...@ice-sa.com> wrote:
>> The other way I could think of would be to use virtual hosts, like
>>
>> Listen 80 HTTP
>> Listen 443 HTTPS
>>
>> NameVirtualHost *:80
>> <VirtualHost *:80>
>> ...
>> </VirtualHost>
>>
>> NameVirtualHost *:443
>> <VirtualHost *:443>
>> ... (SSL-based config)
>> </VirtualHost>
> 
> You don't need the NameVirtualHost directives.

Uh ?
"If name-based vhosts should be used a NameVirtualHost directive /must/ 
appear with the IP address set to be used for the name-based vhosts. In 
other words, you must specify the IP address that holds the hostname 
aliases (CNAMEs) for your name-based vhosts via a NameVirtualHost 
directive in your configuration file."

http://httpd.apache.org/docs/2.2/vhosts/details.html





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by Krist van Besien <kr...@gmail.com>.

On Mon, Oct 26, 2009 at 9:01 PM, André Warnier <aw...@ice-sa.com> wrote:
>
> The other way I could think of would be to use virtual hosts, like
>
> Listen 80 HTTP
> Listen 443 HTTPS
>
> NameVirtualHost *:80
> <VirtualHost *:80>
> ...
> </VirtualHost>
>
> NameVirtualHost *:443
> <VirtualHost *:443>
> ... (SSL-based config)
> </VirtualHost>

You don't need the NameVirtualHost directives.

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by André Warnier <aw...@ice-sa.com>.

Jorge Medina wrote:
> Right. I have two Listen directives
> 
> Listen 80  http
> Listen 443 https
> 
> The page I would assume that the page I get is generated by the mod_ssl module. It looks something like this:
> 
Allright, that clears one mystery, and I learned something (I did not 
know that mod_ssl was doing that; smart little module).

Now the next mystery to me, is how, without VirtualHosts, you can set up 
a server to answer different pages under HTTP and HTTPS at the same time.
(That is how you say you had it configured, before you removed HTTP).

Fortunately, there seems to be a HowTo specifically for that.
See http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
(the last one)

The other way I could think of would be to use virtual hosts, like

Listen 80 HTTP
Listen 443 HTTPS

NameVirtualHost *:80
<VirtualHost *:80>
...
</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
... (SSL-based config)
</VirtualHost>

(But that is really a hack, and works only with 1 single HTTPS VirtualHost).

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Enabling HTTP and HTTPs

Posted by Jorge Medina <jm...@e-dialog.com>.

Right. I have two Listen directives

Listen 80  http
Listen 443 https

The page I would assume that the page I get is generated by the mod_ssl module. It looks something like this:

--------------------------------------------------------------------
Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

  Hint: https://myserver/
---------------------------------------------------------------------
-Jorge

-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Monday, October 26, 2009 3:03 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Enabling HTTP and HTTPs

Hi Jorge.

Something below does not seem to square :

Jorge Medina wrote:
...
> At that point, I disabled HTTP on the server. Any request on port 80 gets a page indicating that HTTPS is required.
> 
How do they actually get this page, if HTTP is disabled ?

Maybe to gain some steps :
- the default port for HTTP is 80
- the default port for HTTPS is 443
So your server config, somewhere, should have Listen 80 Listen 443

If you do not have a "Listen 80", and someone tries to access your server with a URL like "http://yourserver", they would just get a "connection refused", but not a HTML page telling them that they need HTTPS.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Enabling HTTP and HTTPs

Posted by André Warnier <aw...@ice-sa.com>.

Hi Jorge.

Something below does not seem to square :

Jorge Medina wrote:
...
> At that point, I disabled HTTP on the server. Any request on port 80 gets a page indicating that HTTPS is required.
> 
How do they actually get this page, if HTTP is disabled ?

Maybe to gain some steps :
- the default port for HTTP is 80
- the default port for HTTPS is 443
So your server config, somewhere, should have
Listen 80
Listen 443

If you do not have a "Listen 80", and someone tries to access your 
server with a URL like "http://yourserver", they would just get a 
"connection refused", but not a HTML page telling them that they need HTTPS.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org