Alias servers do not have Apache SSL website feature proposed (even if the parent server has it)

This is useful for giving secure previews of new sites, among other things, and seem to be an unneeded features-limitation (or bug) of Virtualmin Pro:

Steps to reproduce:

  • create alis server: seeing only:

Enabled features Setup website for domain?

  • then Edit Virtual Server:

    Apache website enabled? is there

but not: SSL website enabled?

Also "Protected Web Directories" function is not available in subserver (at least at root level)

Status: 
Active

Comments

Howdy -- well, I think the goal there was to simplify things by only offering one way to access certain features.

The Alias Server inherits all of it's features from the parent Virtual Server -- including whether SSL is enabled.

Virtualmin's Alias Servers are typically added to Apache by adding a ServerAlias directive to the parent Virtual Server's config block in Apache... so if the parent domain has SSL enabled, the alias will automatically have it enabled as well.

It's similar with Protected Web Directories -- those can be added to the alias server just by going into the parent Virtual Server to create them.

Adding a Protected Web Directory would enable it both for the parent as well as the alias.

Is there something in particular you're trying to do that isn't working for you?

An alias for an SSL site could be problematic, as it would almost certainly not have a valid SSL cert - if you real domain is foo.com and you create an alias bar.com with SSL enabled, browsers accessing the alias will get foo.com's cert and display a warning..

Hi Jamie, :-)

Keeping settings simple is a very good idea.

I tried and can confirm that "Appache SSL enabled" setting is not inherited by an alias domain of a domain with SSL enabled.

In our case, we have a valid certificate, which was a wildcard certificate, valid for both subdomains. It could also have been a multi-domain certificate which are now quite common.

I didn't want to manually edit Apache settings to still enable the SSL alias.

Our use case is that we have a new version of a site that we need to validate in many aspects: 1) using links-check tools not accepting protected directories, so we gave it a very hard to guess domain name 2) using vulnerability scanning needing to see SSL but not directory protection 3) by credit-card acquirers needing to see the https working, but preferably be protected by a htaccess password 4) by the designers still working on it.

So I wanted to have main site (which already has ssl) protected by passwords, and An alias without password but hard to guess subdomain name for the scan tools, but with SSL (and same wildcard cert)

None of both password protection nor alias with SSL was possible, hence the feature-requests. ;-)

Nothing urgent, so not a bug either.

I've just made a change so that when you add an alias to a domain with SSL, a ServerAlias entry is also added to the virtualhost block for port 443. That way there will be no need to explicitly select the SSL feature for an alias domain ..

Hi,

I have nearly the same problem except: - I purchased the SSL for maindomain.com - I purchased the SSL for aliasdomain.com Now I installed the SSL for maindomain already. How can I install the SSL for the aliasdomain?

Thanks, Giang Anh

So do you have a separate SSL cert for aliasdomain.com , or one cert that is valid for both?

Hi,

I have separate SLL cert for 2 domain. The 1 cert for both domains are very expensive.

Thanks, Giang Anh

Unfortunately Virtualmin doesn't support alias domains with a separate SSL cert currently - the best you can do is create a non-alias domain that just redirects to the real domain.

I created a new host already. How I point the document root to the maindomain host? I tried to edit it in Virtual Server Options and chang the directory there but it didn't work. It shows internal server error: https://jplay.vn/

Rather than trying to adjust the document root (which requires a lot of changes), you should setup an HTTP redirect at Server Configuration -> Aliases and Redirects from one domain to the other.

Hi,

Please help.

It's not a simple process to have two different domain names, each with different SSL certificates, using the same website content (aka, the same DocumentRoot).

I believe what Jamie is suggesting above is that you could setup your second domain name, with it's own SSL certificate -- but have it redirect to the primary domain name after it's accessed.

In Aliases and Redirects, you'd actually be entering the other domain name, and having it redirect there.

An easier way to setup such a redirect would be in Server Configuration -> Website Redirects.

Hi,

I seems that you didn't read my earlier message. I set up the redirect but it didn't work. Also follow your suggestion and it didn't either: https://goo.gl/sbaJI2 My parked domain show 500 error: http://jplay.vn/

Thanks Giang Anh

I did read your comment; however, what I'm suggesting is different from what you tried above.

I'm suggesting you have it redirect to a domain, rather than the directory you're currently using.

In the screenshot you shared, it's reading from a directory.

Does it work if you have it redirect to the other domain, rather than pointing it at a directory?

Please help, this is urgent.

Unfortunately, what you're trying to do is tricky; most users don't use an SSL certificate with their alias domain.

When an SSL certificate is needed, the most common way to handle that is to redirect to the primary domain.

While we could troubleshoot the redirect loop you're seeing, it sounds like that's not what you want.

The only other option would be to setup a proxy, so that when you access your alias domain, it generates a request behind the scenes that accesses the primary domain.

You can setup a proxy by going into Server Configuration -> Edit Proxy Website.

I think it's no so complicated like that. I need a parked domain ( alias domain). So the parked domain which hosted in a different host will point to the same document root. With this solution I can have the SSL for parked domain.

When two domains share the same DocumentRoot, they are generally aliases.

However, an alias can't have it's own SSL certificate.

The only way to do what you're looking to accomplish would either be to do the redirect -- which you said you didn't want to do -- or to use the proxy method mentioned above.

Virtualmin isn't designed to have multiple domains sharing the same DocumentRoot, there are complications with getting that to work.

I though that they only share the DocumentRoot folder and have the the rest directors different. So the second domain can have SSL. Btw, I tried to use proxy method but it's the same with redirect which will redirect the second domain to my main domain: https://goo.gl/n3RBaU I need to use jplay.vn with the same content of jplay.tv. I don't want to redirect it.

Is there any document for multiple domains sharing the same DocumentRoot?

Thanks, Giang Anh

Sorry, this is the simplest way to get what you want working.

Did you by chance disable the redirect that we attempted earlier?

If a redirect is not what you want, and isn't working anyhow, you'd want to disable that prior to setting up the proxying.

Hi,

I disabled the redirect as soon as it didn't work. The redirecting only happens if I enable the proxy

Does the parent domain perhaps have a .htaccess file that's causing it to redirect?

If there's an .htaccess file in the public_html, try temporarily renaming it to see if it works at that point.

If that works, that may mean that the .htaccess file needs to be tweaked.

Renamed the .htaccess file and it's the same. jplay.vn auto redirects to jplay.tv

It may be Joomla that's doing the redirecting.

To test that, rather than browsing to your your website's front page, I went just to one specific image:

https://jplay.tv/images/logo.png

That's the .tv parent domain.

However, I found that I can also access it using the .vn alias domain:

https://jplay.vn/images/logo.png

That suggests that the proxying you're using is working properly.

It appears that Joomla may be issuing a redirect, causing the website to redirect to the .tv domain.

I'm unfortunately not sure how to disable that, that's something that would need to be changed within Joomla itself.

Hi,

Not really. Even I turned off the proxy, I can still access https://jplay.vn/images/logo.png It's because I use a Joomla extension to set up 2 different websites using same joomla installation: https://alterbrains.com/joomla-extensions/administration/multisites-manager So in short, proxy doesn't work. Maybe you can share me the document how I point jplay.vn to document root of jplay.tv

Thanks, Giang Anh

Maybe you can share me the document how I point jplay.vn to document root of jplay.tv

Sorry, but Virtualmin does not support that setup.

Every Virtual Server is designed to have a unique DocumentRoot.

When two domains are to have the same DocumentRoot, they can be aliases.

There isn't a supported feature to have two unique Virtual Servers each share the same DocumentRoot.

The only supported way to make that work would be using the Proxy feature. That should work, unless for some reason the website content itself doesn't support functioning behind a proxy.

I asked Jamie if there's any way at all to get what you're asking for, without a redirect or a proxy.

While there is no supported method to accomplish this from within Virtualmin, you could try manually editing the Apache config, and change the DocumentRoot, and related paths within the VirtualHost block for the second domain.

That will cause a number of Virtualmin validation errors to occur, as Virtualmin doesn't support that setup. But it should be possible to force it to do that.

Note though that since this setup isn't supported, it's possible you could run into unexpected problems down the line with it.

Sorry, I wish we had a better solution for you. We don't get many inquiries about this though (actually, to my knowledge, yours is the first), so we've never attempted to add any kind of functionality to handle that case.

Hi,

My main site is jplay.tv. The second domain is jplay.vn which point to jplay.tv root. I already edited the file as below but it didn't work:

SuexecUserGroup "#513" "#510"
ServerName jplay.vn
ServerAlias www.jplay.vn
ServerAlias webmail.jplay.vn
ServerAlias admin.jplay.vn
DocumentRoot /home/jplay/public_html
ErrorLog /var/log/virtualmin/jplay.vn_error_log
CustomLog /var/log/virtualmin/jplay.vn_access_log combined
ScriptAlias /cgi-bin/ /home/jplay/cgi-bin/
ScriptAlias /awstats/ /home/jplay/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory "/home/jplay/public_html">
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/jplay/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/jplay/fcgi-bin/php5.fcgi .php5
</Directory>
<Directory /home/jplay/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.jplay.vn
RewriteRule ^(.*) https://jplay.vn:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.jplay.vn
RewriteRule ^(.*) https://jplay.vn:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
php_admin_value engine Off
IPCCommTimeout 31
FcgidMaxRequestLen 1073741824
<Files awstats.pl>
AuthName "jplay.vn statistics"
AuthType Basic
AuthUserFile /home/jplay/.awstats-htpasswd
require valid-user
</Files>
Alias /dav /home/jplay/public_html
ProxyPass /dav/ !
ProxyPassReverse /dav/ !
<Location /dav>
DAV on
AuthType Basic
AuthName "jplay.vn"
AuthUserFile /home/jplay/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5
RewriteEngine off
</Location>
SSLEngine on
SSLCertificateFile /home/jplayvn/ssl.cert
SSLCertificateKeyFile /home/jplayvn/ssl.key

It always show 500 internal error:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

When you say it didn't work, what happened exactly? Do you receive an error of any sort? If so, what error(s) are you seeing?

The error log for that domain is located here: /var/log/virtualmin/jplay.vn_error_log

I already mentioned the error in my comment above when I open https://jplay.vn/:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Last log:

https://jplay.vn/
[Tue Aug 04 15:26:37.928568 2015] [core:error] [pid 63585] [client 115.79.47.73:40177] End of script output before headers: index.php, referer: https://jplay.vn/
[Tue Aug 04 15:26:38.323763 2015] [fcgid:warn] [pid 63588] (104)Connection reset by peer: [client 115.79.47.73:40179] mod_fcgid: error reading data from FastCGI server
[Tue Aug 04 15:26:38.323808 2015] [core:error] [pid 63588] [client 115.79.47.73:40179] End of script output before headers: index.php
[Tue Aug 04 15:26:42.173526 2015] [fcgid:warn] [pid 64464] (104)Connection reset by peer: [client 115.79.47.73:40183] mod_fcgid: error reading data from FastCGI server
[Tue Aug 04 15:26:42.173590 2015] [core:error] [pid 64464] [client 115.79.47.73:40183] End of script output before headers: index.php
[Tue Aug 04 15:26:42.493987 2015] [fcgid:warn] [pid 63597] (104)Connection reset by peer: [client 115.79.47.73:40185] mod_fcgid: error reading data from FastCGI server, referer: http://jplay.vn/
[Tue Aug 04 15:26:42.494041 2015] [core:error] [pid 63597] [client 115.79.47.73:40185] End of script output before headers: index.php, referer: http://jplay.vn/
[Tue Aug 04 15:26:48.888342 2015] [fcgid:warn] [pid 64461] (104)Connection reset by peer: [client 115.79.47.73:40178] mod_fcgid: error reading data from FastCGI server, referer: https://jplay.vn/
[Tue Aug 04 15:26:48.888411 2015] [core:error] [pid 64461] [client 115.79.47.73:40178] End of script output before headers: index.php, referer: https://jplay.vn/
[Tue Aug 04 15:42:08.598699 2015] [fcgid:warn] [pid 64713] (104)Connection reset by peer: [client 66.249.64.57:35472] mod_fcgid: error reading data from FastCGI server
[Tue Aug 04 15:42:08.598776 2015] [core:error] [pid 64713] [client 66.249.64.57:35472] End of script output before headers: index.php

That log information is what we were after, thanks!

Unfortunately, it's not explaining why an error is being thrown though.

We found sometimes FCGID doesn't generate good error messages.

Could you try going into Server Configuration -> Website Options, and in there, set the PHP Execution Mode to "CGI.

Once you do that, try accessing your site again, and see what errors are produced in the logs.

Here you are:

http://jplay.vn/
[Tue Aug 04 16:47:02.077950 2015] [core:error] [pid 3249] [client 115.79.47.73:62330] End of script output before headers: index.php, referer: http://jplay.vn/
[Tue Aug 04 16:47:07.505329 2015] [fcgid:warn] [pid 3261] (104)Connection reset by peer: [client 115.79.47.73:62335] mod_fcgid: error reading data from FastCGI server
[Tue Aug 04 16:47:07.505394 2015] [core:error] [pid 3261] [client 115.79.47.73:62335] End of script output before headers: index.php
[Tue Aug 04 16:47:07.738490 2015] [fcgid:warn] [pid 3348] (104)Connection reset by peer: [client 115.79.47.73:62336] mod_fcgid: error reading data from FastCGI server, referer: https://jplay.vn/
[Tue Aug 04 16:47:07.738558 2015] [core:error] [pid 3348] [client 115.79.47.73:62336] End of script output before headers: index.php, referer: https://jplay.vn/
[Tue Aug 04 16:47:52.272863 2015] [cgi:error] [pid 3523] [client 115.79.47.73:62392] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi
[Tue Aug 04 16:47:52.526931 2015] [cgi:error] [pid 3523] [client 115.79.47.73:62392] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi, referer: https://jplay.vn/
[Tue Aug 04 16:47:57.381749 2015] [cgi:error] [pid 3529] [client 115.79.47.73:62398] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi
[Tue Aug 04 16:47:57.635682 2015] [cgi:error] [pid 3529] [client 115.79.47.73:62398] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi, referer: http://jplay.vn/
[Tue Aug 04 16:47:59.781912 2015] [cgi:error] [pid 3522] [client 115.79.47.73:62393] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi

Applied to jplay.tv as well and here is the new log:

http://jplay.vn/
[Tue Aug 04 16:47:02.077950 2015] [core:error] [pid 3249] [client 115.79.47.73:62330] End of script output before headers: index.php, referer: http://jplay.vn/
[Tue Aug 04 16:47:07.505329 2015] [fcgid:warn] [pid 3261] (104)Connection reset by peer: [client 115.79.47.73:62335] mod_fcgid: error reading data from FastCGI server
[Tue Aug 04 16:47:07.505394 2015] [core:error] [pid 3261] [client 115.79.47.73:62335] End of script output before headers: index.php
[Tue Aug 04 16:47:07.738490 2015] [fcgid:warn] [pid 3348] (104)Connection reset by peer: [client 115.79.47.73:62336] mod_fcgid: error reading data from FastCGI server, referer: https://jplay.vn/
[Tue Aug 04 16:47:07.738558 2015] [core:error] [pid 3348] [client 115.79.47.73:62336] End of script output before headers: index.php, referer: https://jplay.vn/
[Tue Aug 04 16:47:52.272863 2015] [cgi:error] [pid 3523] [client 115.79.47.73:62392] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi
[Tue Aug 04 16:47:52.526931 2015] [cgi:error] [pid 3523] [client 115.79.47.73:62392] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi, referer: https://jplay.vn/
[Tue Aug 04 16:47:57.381749 2015] [cgi:error] [pid 3529] [client 115.79.47.73:62398] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi
[Tue Aug 04 16:47:57.635682 2015] [cgi:error] [pid 3529] [client 115.79.47.73:62398] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi, referer: http://jplay.vn/
[Tue Aug 04 16:47:59.781912 2015] [cgi:error] [pid 3522] [client 115.79.47.73:62393] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi
[Tue Aug 04 16:49:48.551840 2015] [cgi:error] [pid 4057] [client 115.79.47.73:62519] End of script output before headers: php5.cgi
[Tue Aug 04 16:49:52.756632 2015] [cgi:error] [pid 4067] [client 115.79.47.73:62533] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:01.267374 2015] [cgi:error] [pid 4056] [client 115.79.47.73:62545] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:05.697922 2015] [cgi:error] [pid 4080] [client 115.79.47.73:62554] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:10.293952 2015] [cgi:error] [pid 4122] [client 115.79.47.73:62568] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:12.319447 2015] [cgi:error] [pid 4069] [client 115.79.47.73:62573] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:46.158455 2015] [cgi:error] [pid 4067] [client 115.79.47.73:62610] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:47.451263 2015] [cgi:error] [pid 4056] [client 115.79.47.73:62616] End of script output before headers: php5.cgi
[Tue Aug 04 16:51:03.411862 2015] [cgi:error] [pid 4055] [client 115.79.47.73:62635] End of script output before headers: php5.cgi
[Tue Aug 04 16:51:04.088923 2015] [cgi:error] [pid 4056] [client 115.79.47.73:62636] End of script output before headers: php5.cgi

Thanks for updating the other domain too, that's helpful.

Unfortunately, that error still isn't giving us too much to work on there... I have another idea.

In the public_html folder those domains are sharing, could you add in a test.php file with the following contents:

<?php phpinfo(); ?>

I'd like to see what happens when accessing that from both domains.

And do you see the same generic error showing up in /var/log/virtualmin/jplay.vn_error_log when accessing the test.php that doesn't work?

Here, Andrey:

https://jplay.vn/
[Tue Aug 04 16:47:07.738558 2015] [core:error] [pid 3348] [client 115.79.47.73:62336] End of script output before headers: index.php, referer: https://jplay.vn/
[Tue Aug 04 16:47:52.272863 2015] [cgi:error] [pid 3523] [client 115.79.47.73:62392] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi
[Tue Aug 04 16:47:52.526931 2015] [cgi:error] [pid 3523] [client 115.79.47.73:62392] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi, referer: https://jplay.vn/
[Tue Aug 04 16:47:57.381749 2015] [cgi:error] [pid 3529] [client 115.79.47.73:62398] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi
[Tue Aug 04 16:47:57.635682 2015] [cgi:error] [pid 3529] [client 115.79.47.73:62398] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi, referer: http://jplay.vn/
[Tue Aug 04 16:47:59.781912 2015] [cgi:error] [pid 3522] [client 115.79.47.73:62393] script not found or unable to stat: /home/jplay/cgi-bin/php5.cgi
[Tue Aug 04 16:49:48.551840 2015] [cgi:error] [pid 4057] [client 115.79.47.73:62519] End of script output before headers: php5.cgi
[Tue Aug 04 16:49:52.756632 2015] [cgi:error] [pid 4067] [client 115.79.47.73:62533] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:01.267374 2015] [cgi:error] [pid 4056] [client 115.79.47.73:62545] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:05.697922 2015] [cgi:error] [pid 4080] [client 115.79.47.73:62554] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:10.293952 2015] [cgi:error] [pid 4122] [client 115.79.47.73:62568] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:12.319447 2015] [cgi:error] [pid 4069] [client 115.79.47.73:62573] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:46.158455 2015] [cgi:error] [pid 4067] [client 115.79.47.73:62610] End of script output before headers: php5.cgi
[Tue Aug 04 16:50:47.451263 2015] [cgi:error] [pid 4056] [client 115.79.47.73:62616] End of script output before headers: php5.cgi
[Tue Aug 04 16:51:03.411862 2015] [cgi:error] [pid 4055] [client 115.79.47.73:62635] End of script output before headers: php5.cgi
[Tue Aug 04 16:51:04.088923 2015] [cgi:error] [pid 4056] [client 115.79.47.73:62636] End of script output before headers: php5.cgi
[Tue Aug 04 17:12:48.693950 2015] [cgi:error] [pid 5449] [client 115.79.47.73:64115] End of script output before headers: php5.cgi
[Tue Aug 04 17:13:10.509998 2015] [cgi:error] [pid 5846] [client 115.79.47.73:64133] End of script output before headers: php5.cgi
[Tue Aug 04 17:15:24.680501 2015] [cgi:error] [pid 5843] [client 115.79.47.73:64237] End of script output before headers: php5.cgi, referer: http://virtualmin.com/node/15591
[Tue Aug 04 17:15:30.526017 2015] [cgi:error] [pid 5960] [client 115.79.47.73:64243] End of script output before headers: php5.cgi
[Tue Aug 04 17:17:15.993948 2015] [cgi:error] [pid 5964] [client 71.173.203.109:43053] End of script output before headers: php5.cgi
[Tue Aug 04 17:17:18.585100 2015] [cgi:error] [pid 6297] [client 71.173.203.109:43052] End of script output before headers: php5.cgi, referer: https://jplay.vn/test.php

Please kindly help.

Sorry this just isn't a setup we've ever attempted before...

Another option would be to see if you have better luck using mod_php, instead of FCGID or CGI.

The only other thing I'd suggest, is to compare the Apache VirtualHost definition of the one domain to the other, and see if anything sticks out as a possible problem.

If that doesn't help, this may not be a setup that's going to work on a Virtualmin server... sorry!

I switched to mod_php but it still shows 500 error. I also copy and replace everything in the Apache config but still the same

What error are you seeing in the logs when that occurs? I'm curious if it's the same one, or if it's somehow different.

The site said: No input file specified. when I access jplay.vn I also attach access log and error log here.

Is there still no way to install separate cert for alias? I am setting up a wordpress multisite and I really need all domains to have a valid SSL.

Unfortunately not - the only alternative would be to have a multi-domain (UCC) cert that covers all your domain names.