This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

default https site

7 posts / 0 new

Topic locked

Last post

#1 Sun, 01/04/2009 - 01:04

ronald

default https site

hi i have one https site with certificate whenever someone types in the url of any other domain with https protocol (like https://globalsolidarity.eu), then he is redirected to that site (https://cvsite.info)

the https site is running on the same IP as all other sites, only on port 443 obviously.

I can understand it falls back to the default https site. However I want to change that behavior and show a standard message, something like: Please use http in the url, not https.

How can I do this?

thanks

#2 Sun, 01/04/2009 - 04:58

andreychek

Howdy,

It sounds like you may have some mod_rewrite stuff going on in your ssl.conf.

I believe you use CentOS, correct?

What does this show:

grep -i rewrite /etc/httpd/conf,d/ssl.conf

If mod_rewrite is what's being used there, you should be able to tweak it to go to a custom page that has a message you want (or, if you preferred, to automatically redirect to the "http" URL).
-Eric

#3 Sun, 01/04/2009 - 05:21 (Reply to #2)

ronald

grep -i rewrite /etc/httpd/conf.d/ssl.conf doesnt show anything.
I am on Centos 5.2

There is only one ssl site so it may defer any other site to this one as per apache default. Is that correct?

In that case I should be able to create a dummy ssl site with a default page. Better would be to redirect to the http protocol for any site.

thanks

#4 Sun, 01/04/2009 - 10:02 (Reply to #3)

andreychek

I'm not sure which setting is doing that (and my system doesn't redirect the way yours does).

Is there any rewrite code in /etc/httpd/conf/httpd.conf?

If not, would you consider posting your ssl.conf file? Feel free to hide any actual sites or ip addresses, but I'm curious what other settings are active in there.
-Eric

#5 Sun, 01/04/2009 - 14:03 (Reply to #4)

ronald

Im guessing its the Listen *:443 ?

<div class='quote'>#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#

LoadModule ssl_module modules/mod_ssl.so

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen *:443

##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##

#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

</div>

#6 Tue, 01/06/2009 - 06:22 (Reply to #5)

andreychek

I'm sorry Ronald, I guess I've been stalling on a reply as I'm not sure sure what's doing that redirect :-)

In theory, having a *:443 wouldn't generate an actual redirect; it would just attempt to listen on all interfaces (which is actually undesirable, but probably isn't what we're looking for here).

You don't happen to have a .htaccess file in the public_html dir that may be doing that, do you?
-Eric

#7 Sun, 06/07/2009 - 07:34 (Reply to #6)

ronald

i have the default joomla .htaccess in there, but the 'redirect' is taking place before one reaches the https site.
I have the idea that apache is simply delivering the first ssl site it sees. Would that be correct?

.htaccess
<div class='quote'>## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
# mod_rewrite in use

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /

########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section</div>

Topic locked