I have a number of domains, each one pointing to my server IP..
I've pinged each domain to check the DNS, That's fine, all domains are pointing to the correct server.
All my domains route through the httpd.conf correctly via HTTP, except one domain where for some reason the Http <Virtual: *:80> entry is forwarding to https: (https://preprod.testsite.org.uk) - For security, this isn't the real URL.
Why would this entry fail when the others are fine?
Is there some way of debugging or tracing through the request from the DNS through to the server, through to the httpd.conf?
<VirtualHost *:80>
DocumentRoot "/var/www/html/testsite/production"
ServerName preprod.testsite.org.uk
<Directory /var/www/html/testsite/production>
DirectoryIndex index.php
order allow,deny
allow from all
AllowOverride all
</Directory>
</VirtualHost>
DNS has nothing to do with HTTP to HTTPs redirection.
Test it using curl (-v option) and check if the server is sending a Location to the client telling him to connect over HTTPs.
If curl says there's no redirection to https, might be the application itself telling the client to connect over https OR, maybe, some entry in browser HSTS cache.
Related
I setup a local guacamole server for people in my work to access several VM's that we have running in the server. IN order to access guacamole the have to type http://ip:port/guacamole or after the host override I did in my pfsense DNS resolver http://guac.loc:port/guacamole. The problem is that even that some times is problematic for some of them so I want to do something like http://guac.loc so they can remember it easily. I did it for some with the hosta file but I can't different functionallities for some of them. So can anyone help on how to do that? Can I do it somehow from the web server? Or do I need to setup a DNS Server?
If I understand correctly, you want to have "simpler" URL, without port and "guacamole" path.
Guacamole by default runs under Tomcat on port 8080. However, you can put Apache in front of the Tomcat and proxy request to the guacamole. Apache can proxy and forward all requests to the Guacamole on the given port and path.
Something like the example below should work and also will redirect all http requests to the htpts. It is not mandatory to have SSL enabled, you can proxy http as well.
<VirtualHost *:80>
ServerName guac.loc
Redirect permanent / https://guac.loc/
</VirtualHost>
<VirtualHost *:443>
ServerName guac.loc
SSLEngine on
SSLCertificateFile /etc/ssl/certs/guac-loc.cer
SSLCertificateKeyFile /etc/ssl/private/guac-loc.key
SSLCACertificateFile /etc/ssl/certs/guac-loc-ca.crt
<Location /guacamole/>
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
Order allow,deny
Allow from all
</Location>
</VirtualHost>
I am trying to redirect http://eamondev.com:3000 to https://omniatm.eamondev.com with a VirtualHost. I am using node to serve a site to http://eamondev.com:3000. I am using vhost with node like this:
app.use(vhost('omniatm.eamondev.com', express.static('/')));
I have never used vhost and it took me a while to figure this out without having to split up all my code like I was working with more than one site (when I am not), so I'm not sure if it is exactly how it should be for an Apache redirect to work.
In my apache conf file I have:
<VirtualHost *:80>
ServerName omniatm.eamondev.com
ProxyPreserveHost on
ProxyPass / http://localhost:3000/
</VirtualHost>
I am also using WHM on a VPS, I'm not sure if this is relevant or not, but the ServerName (with protocol, what I type into the browser) needs to be https://omniatm.eamondev.com.
I cannot serve node on port 80 of my server (and then redirect to subdomain) because my main site (http://eamondev.com) is running on port 80.
I have referenced most of the stackoverflow questions about this and nothing has worked. I should mention (although I'm not sure exactly how it is relevant, I just saw it in a stackoverflow question I looked at), my hosting support (bluehost) used WHM to set things up with a wildcard ssl certificate to make the omniatm.eamondev.com subdomain https.
How do I redirect http://eamondev.com:3000 to https://omniatm.eamondev.com using apache (or vhost)?
Proxy passing as given in the question will not do any redirects instead it will retain the URL as such and proxy the content from elsewhere. In Apache configuration, we have an option to do redirects, in the bellow sample, we are checking for the host and based on it issuing an redirect to the desired URL
<VirtualHost *:80>
ServerName omniatm.eamondev.com
Redirect / https://omniatm.eamondev.com
<If "%{HTTP_HOST} != 'eamondev.com:3000'">
Redirect "^/?(.*)" "https://omniatm.eamondev.com/$1"
</If>
</VirtualHost>
I would like to block any traffic that does not come for the websites hosted on my VPC.
My Server's IP address is 1.2.3.4 which hosts 3 websites.
Following requests should be allowed:
http:// example1.com or https:// www.example1.com
http:// example2.com/ or https:// www.example2.com
http:// example3.com/ or https:// www.example3.com
Following requests should be blocked (including server's IP address):
http: //1.2.3.4/ or https:// 1.2.3.4/
http:// anyotherdomain.com/ or https:// anyotherdomain.com/
List of allowed Host names could be read from a text file which I could update as and when required.
Is this feasible? If yes, what are the pros and cons. If not, thank you for the information.
Cheers
You can't do that in iptables as you would like to.
What you have aren't 3 real different hosts, but 3 virtual hosts: the main difference, as you already know, is that they share the same IP address.
As they share the same IP, kernel's netfilter just can't distinguish different requests from its layer: it's your web server application itself that "routes" the different requests to its proper website by looking at the "Host:" header inside the incoming HTTP packet and by determining which virtualhost should reply to it.
A good compromise (denying instead of dropping) for what you want to do would be to setup a configuration in your web server to make it catch and deny any connection that doesn't belong to your virtual hosts. Also there's no need to make a different list in this way, as your web server could dinamically determine if the requested host exists or not.
Here's an example, assuming you're running Apache, adding the catchall sentence to the top will make your server respond with a 403 message to any connection that won't be overridden by your examples.com websites:
<VirtualHost *:80>
ServerName catchall
<Location />
Order allow,deny
Deny from all
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName example1.com
DocumentRoot /var/www/example1
<Directory /var/www/example1>
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
...
VirtualHost for example2.com (allowing all as above)
VirtualHost for example3.com (allowing all as above)
That's not the same as dropping right from the kernel of course, but it stops any further interation with your server aswell.
I have created a reverse proxy for my node server that runs on localhost, so that it can be served over HTTPS.
The forwarding works grate, however when the app tries to make requests I get:
Mixed Content: The page at 'https://foo.com/' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint
'http://localhost:8888/graphql?query=%7Bnotifications(userid)%7Bid%2C…
This request has been blocked; the content must be served over HTTPS.
Vhost config:
<VirtualHost *:443>
ServerName www.foo.com
ServerAlias foo.com
DocumentRoot /var/www/foo/
ErrorLog /var/www/foo/error.log
CustomLog /var/www/foo/requests.log combined
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/etc/letsencrypt/live/foo.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/foo.com/privkey.pem"
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/
</VirtualHost>
What is missing from my setup?
You are openning the page on https://foo.com/, but URLs within your page contain hardcoded localhost domain and port. While rendering the page, client browser will try to fetch 'http://localhost:8888/graphql effectively skipping apache (which is running on port 80, on server foo.com) and hitting directly your node app, which will 1) work only if you run the browser from the very same machine where you have your node app running, and 2) even then, you will get the above error since some page assets are loaded using http.
When you use relative URLs (for example URL that begins with /), browser will prepend the base URL, resulting in https://foo.com/graphql.
Absolute vs relative URLs
You need to add a SSL certificate to your node.js app. Enabling it on apache won't help since the apache is forwarding the requests to your node.js app on port 8888 (which communicates on plain http and not https). That's why you get the mixed content error. The initial request is on https on apache then forwarded to http to node.js
Steps to configure node.js app with a SSL certificate (you can use a self-signed certificate or a commercial one).
First you have to use ssl-root-cas available via npm. The configure it as follows:
'use strict';
var https = require('https')
, cas
;
// This will add the well-known CAs
// to `https.globalAgent.options.ca`
require('ssl-root-cas').inject();
cas = https.globalAgent.options.ca;
cas.push(fs.readFileSync(path.join(__dirname, 'ssl', '01-ssl-intermediary-a.pem')));
cas.push(fs.readFileSync(path.join(__dirname, 'ssl', '02-ssl-intermediary-b.pem')));
cas.push(fs.readFileSync(path.join(__dirname, 'ssl', '03-ssl-site.pem')));
Try and see if that works!
I have a CentOS VPS which is serving HTTP requests via Apache and delivers a HTML site. I am also hosting a Ghost blog on the same VPS, which listens on port 2368. Therefore the main site can be accessed via www.domain.co.uk and the Ghost blog via www.domain.co.uk:2368/blog.
I have configured a Reverse Proxy via Apache so that the port can be hidden from the user, i.e. www.domain.co.uk/blog proxies to www.domain.co.uk:2368/blog.
Is it possible for me to 'hide' the original blog URL so that a user never sees the 2368 port? Therefore, if a user ever accesses www.domain.co.uk:2368/blog this will actually 'redirect' to www.domain.co.uk/blog.
I guess something like a proxy from www.domain.co.uk:2368/blog -> www.domain.co.uk/blog; though this would have to be handled by the node application as it listens on that port?
Virtual Host configuration is as such:
<VirtualHost *:80>
ServerName www.domain.co.uk
ServerAlias domain.co.uk
DocumentRoot /var/www/domain.co.uk/public_html
ErrorLog /var/www/domain.co.uk/error.log
CustomLog /var/www/domain.co.uk/requests.log combined
ProxyRequests Off
ProxyPass /blog http://127.0.0.1:2368/blog
ProxyPassReverse /blog http://127.0.0.1:2368/blog
</VirtualHost>