Servername Secure Connection - Loose Match

Question

We've updated our Apache deployment configuration to allow for non-www requests to our server (https://example.com). For https connections we needed this because the name didn't match the cert. This was good, recently though we noticed our local deployments secure environments (https://chris.example.com) are also pointing to this new deployment. We commented out the new deployment to confirm this was the change the caused it and it was. We presumed this was from the servername setting we had set. Here's our initial settings:

NameVirtualHost example.com:443
<VirtualHost example.com:443>
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/html/www.example.com
    ServerName example.com
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLProtocol all
    SSLCertificateFile /usr/local/ssl/crt/example2017.cert
    SSLCertificateKeyFile /usr/local/ssl/private/ssl2017.key
    SSLCACertificateFile /usr/local/ssl/crt/example2017intermediate.pem
    DirectoryIndex index.html
    DirectoryIndex index.php
    LogLevel notice
    ErrorLog /var/log/httpd/www.example.com/error.log
    LogFormat "%{%Y-%m-%d %H:%M:%S}t %a %u %A %p %m %U %q %>s \"%{User-agent}i\"" w3c_extended
    CustomLog /var/log/httpd/www.example.com/access.log w3c_extended
</VirtualHost>

After the commenting out worked we assumed it was the ServerName being a loose match and we read the following on the Apache site:

Sometimes, the server runs behind a device that processes SSL, such as a reverse proxy, load balancer or SSL offload appliance. When this is the case, specify the https:// scheme and the port number to which the clients connect in the ServerName directive to make sure that the server generates the correct self-referential URLs.

-http://httpd.apache.org/docs/2.2/mod/core.html#servername

So we updated the servername the entry to:

ServerName https://example.com:443

this allowed the main page (https://example.com) to still load and redirect but the development environments (https://chris.example.com) were again being loaded from it. I was originally considering trying an explicit starting rule:

ServerName ^example.com

but I can't find anywhere saying the servername accepts regex. Is there a way to do this, or am I own the wrong path and the issue is elsewhere?

Here's the httpd -S output:

VirtualHost configuration:
192.168.0.0:443     is a NameVirtualHost
         default server example.com (/etc/httpd/conf/httpd.conf:1065)
         port 443 namevhost example.com (/etc/httpd/conf/httpd.conf:1065)
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server *.example.com (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost *.example.com (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1046)
         port 443 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1096)
         port 443 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1129)
         port 443 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1159)
         port 443 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1189)
         port 443 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1219)
         port 443 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1249)
         port 443 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1300)
         port 443 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1316)
*:80                   is a NameVirtualHost
         default server www.example.com (/etc/httpd/conf/httpd.conf:1034)
         port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1034)
         port 80 namevhost dfw.example.com (/etc/httpd/conf/httpd.conf:1084)
         port 80 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1114)
         port 80 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1147)
         port 80 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1177)
         port 80 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1207)
         port 80 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1237)
         port 80 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1267)
         port 80 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1279)
         port 80 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1290)
Syntax OK

The new deployment started at line 1064 and ended at 1081.

Peter Zhabin · Accepted Answer · 2017-03-13T19:39:46.233

2

After more thorough investigation in chat it appears that there were two NameBasedVirtualHost statements, one for *:443 and another one for example.com:443 with the former having all subdomains VirtualHost declarations and the latter having only one for example.com itself.

Making it uniform with one NameBasedVirtualHost *:443 declaration and all subdomains and main domain referring to it fixed the problem.

edited Mar 13 '17 at 19:39

answered Mar 13 '17 at 10:08

Peter Zhabin

2,696
9
10

Our `httpd.conf` has `ServerName *.example.com` only under `Section 2: 'Main' server configuration`. The `/etc/httpd/conf.d/ssl.conf` doesn't have that at line 74. Line 74 is ``, there is no code base set there. I've moved the loose matching configuration in the `httpd.conf` to be the last record but that had the same result. – chris85 Mar 13 '17 at 16:09
Could you please post output of `httpd -S` after these changes? – Peter Zhabin Mar 13 '17 at 16:17
Your configuration dump still suggests you have a wildcard set as ServerName under your first :443 virtualhost entry in `/etc/httpd/conf.d/ssl.conf line 74, even if it is not used for any actual site. Please check all of your VirtualHost *:443 entries for wildcard ServerName, it is there a 100%. – Peter Zhabin Mar 13 '17 at 16:57
Line 74 is still the same in the ssl.conf. I didn't edit anything in there. I moved the newer looser rule to the end, was that not what I was suppose to be doing? The `ssl.conf` has no code deployments listed in it so I don't see how it could be set to point to the correct/incorrect one. – chris85 Mar 13 '17 at 17:40
Could you please post a contents of `` from ssl.conf? – Peter Zhabin Mar 13 '17 at 17:45
I've posted 74 and onward, is that enough or do you need all lines? Should I just delete the commented lines to remove clutter? – chris85 Mar 13 '17 at 17:52
I think you have to set *some* ServerName there in the `_default_` as I think it is interfering with the rest of your configuration – Peter Zhabin Mar 13 '17 at 18:01
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/55295/discussion-between-chris85-and-peter-zhabin). – chris85 Mar 13 '17 at 18:07

Servername Secure Connection - Loose Match

1 Answers1