0

I'm running Apache 2.4.52 on Ubuntu Server 22.04. I'm trying to run https through port 443, eventually aiming to have a redirect from port 80 to force content on https. However, Apache seems to be using the DocumentRoot from the port 80 config, despite the browser connecting to the https url and being served the right SSL certificate.

For example:

<VirtualHost *:80>

        ServerName [mydomain]
        ServerAlias [www.mydomain]
        DocumentRoot /var/www/testpage1/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        #RewriteEngine On
        #RewriteCond %{HTTPS} off
        #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
        #Redirect permanent / https://[mydomain]

</VirtualHost>

<VirtualHost *:443>

        ServerName [mydomain]
        ServerAlias [www.mydomain]
        DocumentRoot /var/www/testpage2/
        
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/[mydomain]/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/[mydomain]/privkey.pem

</VirtualHost>

results in the index.html from "/var/www/testpage1/" being shown instead of testpage2.

At this point, if I uncomment either

#RewriteEngine On
#RewriteCond %{HTTPS} off
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

or

#RewriteEngine On
#Redirect permanent / https://[mydomain]

it just hits me with an "ERR_TOO_MANY_REDIRECTS"

If I comment out the DocumentRoot in the port 80 config, both the http and https url take me to the apache default config page.

And if I comment out the ServerName and ServerAlias in either the 80 or 443 config, both still take me to testpage1.

my ports.conf in /etc/apache2/ looks like this:

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

I've checked that the ssl module is turned on

In the Apache error logs, there is an AH01909 "server certificate does NOT include an ID which matches the server name" warning. Could this be an issue, or is there something else I'm missing?

Thanks for any help.

Sit399
  • 21
  • 3
  • make sure you are landing in the virtualhost you are showing, if apache tells you the certificate does not match the servername , check "apachectl -S" output to see which virtualhosts you have defined. – Daniel Ferradal Jan 15 '23 at 10:21
  • @DanielFerradal I've fixed the certificate matching server name issue by moving the certificate to another directory. The virtualhost configuration as per "apachectl -S" seems to be pointing to the correct conf file, but the problem still persists. – Sit399 Jan 18 '23 at 02:17
  • Like I said, check "apachectl -S"output and even set specific log files for each virtualhost to make sure to know where you are landing because either you are requesting the wrong name or some other virtualhost defined "earlier" in your config has a greedy name and catching the request. – Daniel Ferradal Jan 19 '23 at 12:05
  • @DanielFerradal thanks for all your help with diagnosis. It turned out I was just stupid and didn't allow https through my firewall, rather than it being an Apache virtualhost issue - details in answer. – Sit399 Jan 22 '23 at 13:14

1 Answers1

2

As stupid as it seems, and after weeks of headache, it turns out I just didn't allow HTTPS traffic through my firewall.

As I proxied my site through Cloudflare, what I thought was the correct SSL certificate was actually the Cloudflare Edge certificates. As the SSL/TLS encryption mode wasn't on strict, the site requested by Cloudflare from my server was still served through port 80, but the traffic between my browser and Cloudflare was still encrypted so it still displayed as https on my browser.

sudo ufw allow 'Apache Full' and setting the encryption mode to strict ended up fixing all the issues.

Sit399
  • 21
  • 3