Not able to access HTTPS link. Getting ssl connection error? - linux

As i have enabled default-ssl site in my ubuntu linux server. When I load the site with Google Chrome I get this error:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
With Firefox:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
As i have check log file of apache2. Which say suhosin-path mod_ssl
[Fri Apr 04 16:29:33 2014] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations
FYI,
when i run command "apachectl -S" i get this error
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted)
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl:2)
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default:1)
Syntax OK
if i run "apachectl configtest"
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted)
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
Syntax OK
EDIT 1
I am getting below error also
Invalid method in request \x16\x03\x01
Please help me.

It looks like you are setting up an HTTP server on port 443, e.g on a port usually used for HTTPS (HTTP wrapped inside a SSL connection). The Invalid method in request \x16\x03\x01 you get on the server side is the start of the SSL handshake of from the client. And because the client does not get the expected answer back from the server it complains.
I don't know what your intention with this setup is, but
if you want to use only HTTP keep the listener on port 80 and remove the one on port 443
if you want to set up HTTPS you need certificates etc (there is enough documentation out there)

Ok, Here is the solution.
As my domain (example.com) is configured for port forwarding and It was mapping to my Local server
To Access my local server through example.com
It was like this:
http://example.com:1234/project_name
and i was configuring my local server for https
which was accessible as
https://192.168.**.***/project_name
But it was giving error (Invalid method in request \x16\x03\x01) for below url
https://example.com:1234/project_name
Because example.com was not configured for ssl.

Related

CUPS bad request

I have a little problem with CUPS 2.2.7
This is my /etc/hosts file:
127.0.0.1 example.com
127.0.0.1 localhost
in http://localhost:631/ CUPS is working right
but in http://example.com:631/ it doesn't work on the same pc.
The message error in View error log is that one:
E [21/Feb/2019:11:54:18 +0100] [Client 33] Request from "localhost" using invalid Host: field "example.com:631".
The web page on Firefox print an error message Invalid request and give me an Error (error code: 400) but seems point on CUPS.
How to solve this problem so that example.com:631 points to localhost and CUPS answers it successfully instead of Error 400: Access Denied.
By default cups servers HTTP requests only with HTTP Host header equal to "localhost". To allow it servicing requests for additional HTTP host headers use ServerAlias directive as described in the man cupsd.conf documentation. It's common to do the most unsafe thing and add
ServerAlias *
to /etc/cupsd.conf to allow all possible HTTP host headers to be serviced.
I know this is old, but I too was experiencing the same issue recently and I resolved it by updating the following line in cupsd.conf from:
Listen 0.0.0.0:631
changed to:
Listen *:631
For those that maybe care to know, I'm running CUPS within a docker container, and this change corrects the "Bad Request" response.

Does vagrant share with https still work?

I have the guest's HTTPS port set to 443 on it's Apache 2 installation.
In Vagrantfile
I have vm.forwarded_port set to forward from 443 to 8443
I have vm.hostname set to actualdomain.org
I've also installed the vagrant plugin install vagrant-hostsupdater so that actualdomain.org is written to my hosts file, so it pulls up the developer environment and not the actual site when it is requested.
List item
I ran vagrant connect...
I ran vagrant share --https 443 --domain actualdomain.org but it reports the following:
==> default: Detecting network information for machine...
default: Local machine address: 192.168.xx.10
default: Local HTTPS port: 443
==> default: Checking authentication and authorization...
==> default: Creating Vagrant Share session...
There was an error returned by the Vagrant Cloud server. The
error message is shown below:
Domain cannot be used with this account
But if I run vagrant share without the --domain parameter, I end up with the following in my logs when I try to contact the site remotely:
Hostname XXXXX-YYY-ZZZZ provided via SNI and hostname XXXXX-YYY-ZZZZ.vagrantshare.com provided via HTTP are different
And in the browser I am returned an HTTP 400 Bad Request.
Is there any easy way around this? It seems to me that this didn't happen the last time I used vagrant, and it seems as though there was something added to TLS that causes it to balk about the SNI error since then.
I even tried adding a server alias that was the same as the XXXXX-YYY-ZZZ.vagrantshare.com, and it still is giving me an issue; does that mean that I have to rebuild the certificate everytime the hashicorp URL changes if I want to show it off to somebody via their browser?

New Azure VM says InvalidQueryParameterValue comp

I created a new Azure VM, installed the LAMP stack, and when I visit the domain name in a browser, it serves the following error, which I am unable to find any information on through Google or Stack Overflow:
<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidQueryParameterValue</Code><Message>Value for one of the query parameters specified in the request URI is invalid.
RequestId:45ba52f4-0001-0086-13ed-e545cf000000
Time:2015-09-03T02:07:58.4816344Z</Message><QueryParameterName>comp</QueryParameterName><QueryParameterValue /><Reason /></Error>
When I use wget http://localhost while logged in through SSH, I get this error instead:
--2015-09-03 02:05:57-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65 [text/html]
index.html: Permission denied
Cannot write to ‘index.html’ (Permission denied).
The apache config for the default site is plain:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
How do I get this VM to start serving using Apache?
This can occur on the 'Static Website hosting' feature if you point your CNAME to the wrong Azure server.
You must use the server DNS name that contains web in the name and not blob.
The first error (when opening from Internet) is (most probably) showing that you do not try to access the VM URL, but another service instead (i.e. Azure storage service, or some other Azure service)
To make things more confusing for newcommers Microsoft has now 2 parallel types of services - one is called classic and the other is called resource manager. In order to give you best answer, I have to know how did you create your VM - using the classic or using the resource manager (or shortly ARM) mode. If it was the clasic, your VM should live in a domain something like: mylinuxvm.cloudapp.net. You can check this going to the management portal then selecting VM and checking its settings / properties. Is it is the case, the only thing you need to add is an Endpoint for port 80, so that Internet traffic coming on TCP port 80 will be redirected to your VM.
If it is an ARM VM, you need a network security group rule that will send traffic on port 80 to your public IP Address, which has to be associated with the VM.
The second error:
When I use wget http://localhost while logged in through SSH, I get
this error instead:
--2015-09-03 02:05:57-- http://localhost/ Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost
(localhost)|127.0.0.1|:80... connected. HTTP request sent, awaiting
response... 200 OK Length: 65 [text/html] index.html: Permission
denied
Cannot write to ‘index.html’ (Permission denied).
You get because you are using wget instead of curl. The difference is that curl will just render the result in stdout while wget tries to downalod and save the contet. The error is quite clear:
Cannot write to ‘index.html’ (Permission denied).
Which means you are executing the command in a folder to which you do not have write permission. This is usally the home of the root user when you do not do sudo before executing the command.

Transparent Proxy Issue with SSL

I have a RHEL5 server in a private zone. I've set up a transparent proxy for ports 80 and 443. When I try a wget on 443, I get the following:
# wget -O- https://www.google.com
--2013-02-14 15:16:50-- https://www.google.com/
Resolving www.google.com... 74.125.129.147, 74.125.129.104, 74.125.129.106, ...
Connecting to www.google.com|74.125.129.147|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
I assume the proxy works because it's connecting. I don't know what else could be causing this.
This OpenSSL error indicates that wget sent the initial SSL ClientHello message, but gets an unexpected response from the server (or proxy) which was not an SSL ServerHello message.
This can be because the proxy speaks plain HTTP with the client, instead of HTTPS, because of a configuration error (e.g. with squid if port 443 is redirected to a http_port instead of https_port with the transparent option), or because it does not support transparent proxying of SSL at all. To debug, you may try connecting to http://www.google.com:443/ to see what happens. To know what's going on, you might want to run tcpdump while connecting to see what the server responds with. Also check the error log of your transparent proxy.
Without the transparent proxy configuration it is hard to tell what the problem is.

HAproxy and Node.js+Spdy

I'm currently using node spdy to serve files. This works beautifully.
However I would like to use HAproxy to load balance amongst these node servers. But when my node/spdy server is behind HAproxy, request.isSpdy is false... so spdy is all of a sudden not supported?
Here's my HAproxy configuration:
global
maxconn 4096
defaults
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http_proxy
mode http
bind *:80
redirect prefix https://awesome.com code 301
frontend https_proxy
mode tcp
bind *:443
default_backend webservers
backend webservers
balance source
server server1 127.0.0.1:10443 maxconn 4096
# server server2 127.0.0.1:10444 maxconn 4096
Thanks!
You can't use HAProxy's HTTP load balancing mechanism with SPDY. First, you need to use the latest development branch to enable support for NPN (and hence SPDY), and after that, you will have to configure it to run closer to simple TCP load-balancing mode -- HAProxy does not understand SPDY.
For an example HAProxy + SPDY config script, see here:
http://www.igvita.com/2012/10/31/simple-spdy-and-npn-negotiation-with-haproxy/
I ran into this same issue. Instead of using spdy, I went back to using express and made haproxy use the http/2 protocol.
frontend http-in
bind *:80
mode http
redirect scheme https code 301
frontend https-in
mode http
bind *:443 ssl crt /path/to/cert.pem alpn h2,http/1.1
the key here is this part alpn h2,http/1.1

Resources