Allow http AND https with SSL on LAMP?

I'm new to the linode and linux/sysadmin in general, but have been reading the posts for the past few 3 weeks or so to set up a server running LAMP. Everything is working pretty well, got Drupal 6 up, Exim4 for mail (barely got it working), Ubuntu 8.04, Apache2, webmin…

I just bought a SSL and set it up to the last section of https://help.ubuntu.com/8.04/serverguide/C/httpd.html

but now my site only works using https: and throws a "400 bad request - Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please." if I try to go to the site using http:

this wasn't happening before, and i'm wondering if it has to do with "SSLOptions +StrictRequire" that is in the config file?

is there a remedy so that I can have only certain parts of the site (mainly a store that needs securing) use https (since it's slower supposedly) and the rest use just http?

thanks in advance.

8 Replies

Hi,

I believe that you are currently serving https requests on both ports 80 and 443. You need to create two virtual hosts: * + One listening on port 80, serving HTTP requests only, NO SSL

+ The other listening on port 443, serving HTTPS, with SSL configured</list></r>

thanks, and sorry for the slow reply, I've got solid days scheduled for a while and am squeezing time to work on this mostly at odd hours of the night/morning.

i tried messing with adding vhosts and changing ports thru webmin and just made things more confusing without working, so i reverted back to a point at which only the https works again. my current /etc/apache2/sites-available/default looks like this:

NameVirtualHost *
 <virtualhost *="">ServerAdmin webmaster@localhost

DocumentRoot /var/www/

# added the 4 lines below to enable SSL according to a guide
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

        <directory>Options FollowSymLinks
                AllowOverride None</directory> 
        <directory var="" www="">Options Indexes FollowSymLinks MultiViews

# the line below has been changed to All from the default None
                AllowOverride All

# the 2 lines below are the default settings and commented out
#               Order allow,deny
#               allow from all</directory> 

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <directory "="" usr="" lib="" cgi-bin"="">AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all</directory> 

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

    Alias /doc/ "/usr/share/doc/"
    <directory "="" usr="" share="" doc="">Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128</directory></virtualhost> 

do I just copy and paste all the above again into the same file, and comment out the first instances of 4 lines for SSL? I forgot why I had to do the "allow override" change above, possibly for drupal or webmin or another module to work or something. do I need to change the "NameVirtualHost *" or the to the name of the site or something? I'm pretty lost.

Hi,

You only need to copy over some of the directives. I would recommend that you setup your web site as a seperate virtual host, rather than the default one (i.e. /var/www).

First if all, create file named "/etc/apache2/sites-available/domain-name.com. Put this in there, remmebring to change paths and domain names as appropriate::

 <virtualhost *:80="">ServerName   your-domain.com
        ServerAlias www.your-domain.com
        ServerAdmin  email@your-domain.com
        DocumentRoot /path/to/public_html

        <directory path="" to="" public_html="">Options -Indexes +Includes -ExecCGI -MultiViews +SymLinksIfOwnerMatch</directory></virtualhost> 

 <virtualhost *:443="">ServerName   your-domain.com
        ServerAlias www.your-domain.com
        ServerAdmin  email@your-domain.com
        DocumentRoot /path/to/public_html

        <directory path="" to="" public_html="">Options -Indexes +Includes -ExecCGI -MultiViews +SymLinksIfOwnerMatch</directory> 

        SSLEngine on
        SSLOptions +StrictRequire
        SSLCertificateFile /etc/ssl/certs/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key</virtualhost> 

Then run:

a2ensite your-domain.com
/etc/init.d/apache2 restart

I added the code into a new mysite.com file next to the default file and the only changes I made were taking out the code enabling SSL from the default file and replacing the names/directories in the mysite.com to fit my setup. (I'm keeping the directories at /var/www/ for now until everything works, then I'll copy them into /var/www/mysite.com/ instead)

 <virtualhost *:80="">ServerName   mysite.com
        ServerAlias www.mysite.com
        ServerAdmin  webmaster@mysite.com
        DocumentRoot /var/www/

        <directory var="" www="">Options -Indexes +Includes -ExecCGI -MultiViews +SymLinksIfOwnerMatch</directory></virtualhost> 

 <virtualhost *:443="">ServerName  mysite.com
        ServerAlias www.mysite.com
        ServerAdmin  webmaster@mysite.com
        DocumentRoot /var/www/

        <directory var="" www="">Options -Indexes +Includes -ExecCGI -MultiViews +SymLinksIfOwnerMatch</directory> 

        SSLEngine on
        SSLOptions +StrictRequire
        SSLCertificateFile /etc/ssl/certs/mysite.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key</virtualhost> 

but after enabling and trying to restart, I get the following errors:

[Fri Mar 27 12:59:43 2009] [error] VirtualHost *:443 – mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

[Fri Mar 27 12:59:43 2009] [error] VirtualHost *:80 – mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

[Fri Mar 27 12:59:53 2009] [error] VirtualHost *:443 – mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

[Fri Mar 27 12:59:53 2009] [error] VirtualHost *:80 – mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

What info do I need to keep under the default file? (I don't really know what exactly the default file is used for when other vhost files are enabled. Is it for localhost? Since it's directory is /var/www/, will it include all the /var/www/mysites(*).com/ folders under it? despite other vhost files pointing to those specific directories?) And what about all those override and log error lines? Do I keep them under NameVirtualHost or move them under each of the VirtualHosts in the mysite.com file or need them at all?

On trying out the site, only http: works, not https. I assume this is because I got rid of the SSL stuff in the default file but the error messages mean that the mysite.com file isn't being used properly.

Hi thorrx,

The 'default' apache config file will be called when a request to a URL is made that resolves to your server, but where that URL doesn't match the parameters in 'ServerName' and/or 'ServerAlias' in your separate new vhost configs.

In regards to getting your HTTP and HTTPS working, edit that default config file and make sure these two lines are at the top:

NameVirtualHost *:80
NameVirtualHost *:443

Every time you specify a entry in any config, include *:80 or *:443 as opposed to just the wildcard '*' as I believe that's causing the warnings/errors you're seeing when you reload Apache.

I suspect in your default file there's a , best make that a , as I'm guessing you don't care about this 'default' virtual host having an SSL config, just your mysite.com.

Your new mysite.com config file looks fine as-is, just make the changes to the default file as above.

Reload apache and see what happens.

@thorrx:

[Fri Mar 27 12:59:43 2009] [error] VirtualHost *:443 – mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

[Fri Mar 27 12:59:43 2009] [error] VirtualHost *:80 – mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

[Fri Mar 27 12:59:53 2009] [error] VirtualHost *:443 – mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

[Fri Mar 27 12:59:53 2009] [error] VirtualHost *:80 – mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

As condate said, replacing with for the default virtual-host should get rid of the errors.

Sweet, it seems to be all working correctly now. Thanks to both of you for your help.

For anyone else setting up a similar config (I needed it for an hobby e-commerce site using drupal and drupal's secure pages module to configure selective ssl pages):

At first I simply added to the default file the NameVirtualHost *:80 and *:443 lines and that got rid of the errors, but it didn't work when trying to go to selective https sites. Then I realized I missed the part about changing the VirtualHost * to VirtualHost *80 as well… after that change, everything works perfectly.

The pages configured to use ssl in the secure pages module (admin pages, store checkout, etc) all redirect to https, and everything else redirects to http. This in conjunction with the redirect of site.com to www.site.com keeps all the pages singular (I've heard that's better for search engine rankings since you don't split views between the different versions to the same page).

TL:DR - it works : ).

Thanks again!

Glad to hear it!

Interesting to hear of selective SSL pages in Drupal - obviously offtopic for this thread but I'm curious, never used the Secure Pages module :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct