osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Problem setting up ssl


Quoting Mahmood Naderan (nt_mahmood@xxxxxxxxx.INVALID):

> [mahmood@rocks7 ~]$ wget http://w.x.y.z:443
> Connecting to w.x.y.z:443... connected.
> HTTP request sent, awaiting response... 200 OK
> 2018-08-20 10:30:50 (1.95 MB/s) - ‘index.html.1’ saved [33229]
> Any thought?

Did you forget to put 'SSLEngine On' in your SSL-vhost definition?
The above quoted clearly shows your Apache is doing normal HTTP on port 443.

Also, SSL generally doesn't work well when connecting to just an IP-address.
SSL certs contain a domain name, it has to match or you'll get certificate
security warnings.

Use this config as a reference, assuming Apache 2.4+:

| <VirtualHost aa.bb.cc.dd:80 [2001:7b8:zzz:1:aa.bb.cc.dd]:80>
|     ServerName www.example.com
|     ServerAlias example.com
| 
|     DocumentRoot /var/vhosts/www.example.com/html
| 
|     RewriteEngine On
|     RewriteCond %{REQUEST_URI} !^/.well-known/
|     RewriteRule (.*) https://www.example.com$1 [R=301,L]
| </VirtualHost>
| <VirtualHost aa.bb.cc.dd:443 [2001:7b8:zzz:1:aa.bb.cc.dd]:443>
|     ServerName www.example.com
|     ServerAlias example.com
| 
|     AddDefaultCharset utf-8
| 
|     Header always add Strict-Transport-Security "max-age=15552000; includeSubDomains"
|     Header always add X-Content-Type-Options "nosniff"
|     Header always add X-Frame-Options "SAMEORIGIN"
|     Header always add X-XSS-Protection "1; mode=block"
| 
|     SSLEngine On
|     SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
|     SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!DES:!SSLv2:!MD5:!SSLV3:!3DES:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:KRB5-DES-CBC3-SHA:"
|     SSLOpenSSLConfCmd ECDHParameters secp384r1
|     SSLOpenSSLConfCmd Curves secp384r1
| 
|     SSLCertificateChainFile        /etc/letsencrypt/manual/chain.pem
|     SSLCertificateFile             /etc/letsencrypt/manual/www.example.com.crt
|     SSLCertificateKeyFile          /etc/letsencrypt/manual/www.example.com.key
|     SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/manual/www.example.com.dh
| 
|     ErrorLog /var/vhosts/www.example.com/logs/error.log
|     CustomLog /var/vhosts/www.example.com/logs/access.log combined
| 
|     DocumentRoot /var/vhosts/www.example.com/html/
|     <Directory /var/vhosts/www.example.com/html/>
|         Options -Indexes
|         Require all granted
|     </Directory>
|     
|     RewriteEngine On
| 
|     RewriteCond %{HTTP_HOST} !^www.example.com
|     RewriteRule (.*) https://www.example.com$1 [R=301,L]
| </VirtualHost>

-- 
| Dopeler effect: The tendency of stupid ideas to seem smarter when they
| come at you rapidly.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx