| View previous topic :: View next topic |
| Author |
Message |
jeffk
l33t
Joined: 13 Sep 2003
Posts: 671
|
 Posted: Tue Dec 19, 2006 12:29 am Post subject: apache2 vhost ssl: You configured HTTP(80) on HTTPS(443) |
 |
|
I'm having trouble with Apache2 an IP-based virtual host over SSL (aren't we all). I have a fairly stock apache setup, the objective is a mod_python web application (trac) and subversion over https, the http configuration of each work just fine.
Apache and OpenSSL
apache has been emerged after the most recent openssl emerge:
| Code: | Sun Oct 1 22:55:37 2006 >>> dev-libs/openssl-0.9.8d
Mon Dec 11 20:47:00 2006 >>> net-www/apache-2.0.59-r2 |
apache has been emerged with USE=ssl:
| Code: | # emerge openssl apache -pv
[ebuild R ] dev-libs/openssl-0.9.8d USE="emacs zlib -bindist -sse2 -test" 0 kB
[ebuild R ] net-www/apache-2.0.59-r2 USE="apache2 ldap ssl -debug -doc -mpm-itk -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker (-selinux) -static-modules -threads" 0 kB |
Apache OPTS
APACHE2_OPTS has SSL SSL_DEFAULT_VHOST, plus the subversion and mod_python options I need for trac and subversion:
| Code: | # grep OPTS= /etc/conf.d/apache2
APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D PROXY -D INFO -D MIME -D DAV -D DAV_FS -D SVN -D SVN_AUTHZ -D PYTHON" |
Apache is listening on ports 80 and 443
| Code: | # netstat -tlnp | grep apache2
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3508/apache2
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3508/apache2 |
Certificate
A self-signed certifcate has been created per http://gentoo-wiki.com/Apache_Modules_mod_ssl. Skipping the first step (a passphrase version of the key):
| Code: | # openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
....................++++++
.....++++++
e is 65537 (0x10001)
athlon1 ssl # openssl rsa -in server.key -out server.pem
writing RSA key
athlon1 ssl # openssl req -new -key server.pem -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Company
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt
Signature ok
subject=/C=US/O=ACME Company
Getting Private key |
(Question: I notice that nowehere in this process is the virtual host domain name entered. Is that something I need?)
The certificates are read-write by root only (does apache:apache need to be the owner?):
| Code: | # ls -l /etc/apache2/ssl/
total 16
-rw------- 1 root root 676 Dec 18 15:55 server.crt
-rw------- 1 root root 562 Dec 18 15:55 server.csr
-rw------- 1 root root 891 Dec 18 15:54 server.key
-rw------- 1 root root 891 Dec 18 15:54 server.pem |
The only change to default-vhost.conf is to reference server.pem, as per http://gentoo-wiki.com/Apache_Modules_mod_ssl:
| Code: | # grep -R SSLCertificateKeyFile /etc/apache2/
/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:#SSLCertificateKeyFile conf/ssl/server.key
/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:SSLCertificateKeyFile conf/ssl/server.pem |
The vhost which I am trying to enable SSL is defined as follows. Please forgive the duplication, once I get SSL working I'm going to enable a rewrite to force HTTPS. I have a number of non-SSL vhosts that share IPs, but this one has it's own IP. If I'm supposed to do something different than NameVirtualHost, please correct me.
| Code: | # cat /etc/apache2/vhosts.d/dev.acmecorp.com.conf
NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:80>
ServerAdmin webmaster@acmecorp.com
ServerName dev.acmecorp.com
ErrorLog /var/www/dev.acmecorp.com/logs/error_log
TransferLog /var/www/dev.acmecorp.com/logs/access_log
<Location /trac>
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv /var/lib/trac/myproject
PythonOption TracUriRoot /trac
</Location>
<Location /trac/login>
AuthType Basic
AuthName trac
AuthUserFile /var/lib/svn/myproject/conf/svnusers
Require valid-user
</Location>
<Location /svn>
DAV svn
SVNPath /var/lib/svn/myproject
AuthzSVNAccessFile /var/lib/svn/myproject/conf/authz
AuthType Basic
AuthName svn
AuthUserFile /var/lib/svn/myproject/conf/svnusers
Require valid-user
</Location>
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerAdmin webmaster@acmecorp.com
ServerName dev.acmecorp.com:443
ErrorLog /var/www/dev.acmecorp.com/logs/error_log
TransferLog /var/www/dev.acmecorp.com/logs/access_log
<Location /trac>
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv /var/lib/trac/myproject
PythonOption TracUriRoot /trac
</Location>
<Location /trac/login>
AuthType Basic
AuthName trac
AuthUserFile /var/lib/svn/myproject/conf/svnusers
Require valid-user
</Location>
<Location /svn>
DAV svn
SVNPath /var/lib/svn/myproject
AuthzSVNAccessFile /var/lib/svn/myproject/conf/authz
AuthType Basic
AuthName svn
AuthUserFile /var/lib/svn/myproject/conf/svnusers
Require valid-user
</Location>
</VirtualHost> |
The IP address is used only for this virtual host:
| Code: | # grep -R 1.2.3.4 /etc/apache2/*
vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:80
vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:443
vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:80>
vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:443> |
Missing SSLEngine, etc.
Note the absence of SSLEngine On and other SSL commands from the above vhost .conf. When I add SSLEngine On to the :443 VirtualHost section, apache fails to start. I don't know why, exactly. The (one) modifcation to 41_mod_ssl.default-vhost.conf would have created appropriate default values for CertificateKeyFile, I thought. Is this this the case?
The Errors and Log Information
Apache starts with the above configuration, but a telling twice-repeated error line appears in error_log
| Code: | #tail /var/log/apache2/error_log
[warn] Init: (dev.acmecorp.com:443) You configured HTTP(80) on the standard HTTPS(443) port!
[warn] Init: (dev.acmecorp.com:443) You configured HTTP(80) on the standard HTTPS(443) port!
[notice] Apache configured -- resuming normal operations |
Testing the running configuration with openssl s_client:
| Code: | # openssl s_client -connect dev.acmecorp.com:443 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80beee0 [0x80bef28] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 2b aa e6 b1 ............+...
0060 - 93 ba 08 f0 10 40 af 23-18 83 69 21 89 df 6f 3a .....@.#..i!..o:
0070 - a8 43 8f d4 44 99 af a4-5b fa 87 6e .C..D...[..n
SSL_connect:SSLv2/v3 write client hello A
read from 0x80beee0 [0x80c4488] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
4664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567: |
Curl gives a similar error condition:
| Code: | # curl https://dev.acmecorp.com/
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol |
And that's about all I can think of to quote here for a start. I'm happy to check anything else someone thinks might be the matter. Thanks for any help, SSL debugging is a relatively new experience here.
mod_python PythonHandler Error (unrelated?)
BTW, There is an unrelated error in the mod_python PythonHandler command, if anyone knows the answer to that.
| Code: | # /usr/sbin/apache2 -S
Syntax error on line 11 of /etc/apache2/vhosts.d/dev.acmecorp.com.conf:
Invalid command 'PythonHandler', perhaps mis-spelled or defined by a module not included in the server configuration |
|
|
| Back to top |
|
 |
bunkacid
Tux's lil' helper
Joined: 11 Jan 2005
Posts: 111
Location: Laguna Hills, CA
|
| Posted: Tue Dec 19, 2006 11:11 am Post subject: |
|
|
When making the certificate, the "Common Name" is the Fully Qualified Domain Name of the vhost.
In my configuration, the certificates do not need to be readable by the apache user, or group.
In fact, the file permissions for the ssl related files, should be; read only. | Code: | | chmod 400 sslcertfile |
I do not use the 42_mod_ssl.default-vhost.conf for much outside of the basic mod_ssl configuration.
Using the Default Vhost file for your hosting will bring any undefined host to this vhost. So I like to keep the default, blank. Using a new vhost for new hosts.
I keep the host based information in the vhost configuration for each host, within each VirtualHost directive.
/etc/apache2/vhosts.d/02_virtual.hostname.here.conf
Each one of these is for a single host. Inside, is the VirtualHost directives for the port 80, 81, and port 443 (SSL) enabled vhosts.
I also wrap my SSL enabled VirtualHost with IfDefine SSL within each host file. There is probably a better way to do this, but it works for me.
| Code: | <IfDefine SSL>
<IfModule mod_ssl.c>
##
## SSL Virtual Host Context
##
<VirtualHost *:443>
# blah
</VirtualHost>
</IfModule>
</IfDefine>
|
Another tool you should be using for configuration of your vhosts, is;
| Code: | | apache2ctl -t -D DUMP_VHOSTS |
It's your best friend.
and as for the python help, I'm not to sure.
make sure your /etc/conf.d/apache2 contains something similar to this.
| Code: | | APACHE2_OPTS="-D USERDIR -D PHP5 -D SSL -D DAV -D DAV_FS -D PYTHON" |
Also read the comments in there for more help.
hope this helps. |
|
| Back to top |
|
|
jeffk
l33t
Joined: 13 Sep 2003
Posts: 671
|
| Posted: Tue Dec 19, 2006 5:38 pm Post subject: Re: apache2 vhost ssl: You configured HTTP(80) on HTTPS(443) |
|
|
| jeffk wrote: | Apache OPTS
APACHE2_OPTS has SSL SSL_DEFAULT_VHOST, plus the subversion and mod_python options I need for trac and subversion:
| Code: | # grep OPTS= /etc/conf.d/apache2
APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D PROXY -D INFO -D MIME -D DAV -D DAV_FS -D SVN -D SVN_AUTHZ -D PYTHON" |
|
I agree that explicitly defined SSL vhosts are the best strategy, at least while I'm starting out. Do you recommend removing the -D SSL_DEFAULT_VHOST from OPTS, then? The docs say include it unless I know what I'm doing.
Also note from the original post that I only make the one change to the stock 41_mod_ssl.default-vhost.conf (on my system, "42" is 42_mod_proxy.conf:
| Code: | # grep -R SSLCertificateKeyFile /etc/apache2/
/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:#SSLCertificateKeyFile conf/ssl/server.key
/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:SSLCertificateKeyFile conf/ssl/server.pem |
|
|
| Back to top |
|
|
bunkacid
Tux's lil' helper
Joined: 11 Jan 2005
Posts: 111
Location: Laguna Hills, CA
|
| Posted: Tue Dec 19, 2006 10:00 pm Post subject: Re: apache2 vhost ssl: You configured HTTP(80) on HTTPS(443) |
|
|
| jeffk wrote: |
I agree that explicitly defined SSL vhosts are the best strategy, at least while I'm starting out. Do you recommend removing the -D SSL_DEFAULT_VHOST from OPTS, then? The docs say include it unless I know what I'm doing.
|
Well, by not providing a default SSL VHOST, whatever is the first VHOST on that port will by default become the default VHOST. example if https://joesburgershack.com.fake.tld pointed to the same IP as your your real site would pickup that traffic. So unless you want that, keep the blank default vhost in place to pickup the junk.
| jeffk wrote: |
Also note from the original post that I only make the one change to the stock 41_mod_ssl.default-vhost.conf (on my system, "42" is 42_mod_proxy.conf:
| Code: | # grep -R SSLCertificateKeyFile /etc/apache2/
/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:#SSLCertificateKeyFile conf/ssl/server.key
/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:SSLCertificateKeyFile conf/ssl/server.pem |
|
42? sorry I wrote that by hand instead of cut and paste.
For the default vhost, since the file already exists you can use 41_mod_ssl.default-vhost.conf use it to configure the default vhost. Or put that information in the same file as 00_default_vhost.conf
I personally just like to keep each defined SSL virtualhost even the defaults, within the same file as the the non ssl hostname. to me this makes it easier to manage. You could put them in a seperate files if you choose though. |
|
| Back to top |
|
|
bunkacid
Tux's lil' helper
Joined: 11 Jan 2005
Posts: 111
Location: Laguna Hills, CA
|
|
| Back to top |
|
|
jeffk
l33t
Joined: 13 Sep 2003
Posts: 671
|
| Posted: Mon Jan 22, 2007 7:20 pm Post subject: |
|
|
| bunkacid wrote: | I totally forgot about this.
While port 80 is able to host a rather unlimited number of virtualhosts correctly.
In order for SSL enabled virtualhosts to work properly each must live on a separate IP/port combination.
Although you can have more than 1 virtualhost per SSL enabled port, the certificate file used will be from the first SSL configuration directive. When this happens the browser will throw an error about mismatched, or possibly malicious host, when you attempt to access the non-default virtualhost for that port.
|
Per my original posted configuration, I am only using this static IP for this vhost. I think I'm avoiding the issue you're referring to.
| jeffk wrote: | The IP address is used only for this virtual host:
| Code: | # grep -R 1.2.3.4 /etc/apache2/*
vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:80
vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:443
vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:80>
vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:443> |
|
And just to confirm that the IP isn't used again elsewhere in /etc:
| Code: | /etc # egrep -R '1.2.3.4|dev.acmecorp.com' *
apache2/vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:80
apache2/vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:443
apache2/vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:80>
apache2/vhosts.d/dev.acmecorp.com.conf: ServerName dev.acmecorp.com
apache2/vhosts.d/dev.acmecorp.com.conf: ErrorLog /var/www/dev.acmecorp.com/logs/error_log
apache2/vhosts.d/dev.acmecorp.com.conf: TransferLog /var/www/dev.acmecorp.com/logs/access_log
apache2/vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:443>
apache2/vhosts.d/dev.acmecorp.com.conf: ServerName dev.acmecorp.com:443
apache2/vhosts.d/dev.acmecorp.com.conf: ErrorLog /var/www/dev.acmecorp.com/logs/error_log
apache2/vhosts.d/dev.acmecorp.com.conf: TransferLog /var/www/dev.acmecorp.com/logs/access_log
conf.d/net: "1.2.3.4 netmask 255.255.255.192 broadcast 1.2.3.255" |
Any other ideas on what this issue could be? Thanks. |
|
| Back to top |
|
|
bunkacid
Tux's lil' helper
Joined: 11 Jan 2005
Posts: 111
Location: Laguna Hills, CA
|
| Posted: Mon Jan 22, 2007 8:39 pm Post subject: |
|
|
ok, it's been a while...
so if the address is only for 1 vhost
have you tried accessing the site by IP?
https://1.2.3.4/
Also what does the logs and ssl logs say? |
|
| Back to top |
|
|
jeffk
l33t
Joined: 13 Sep 2003
Posts: 671
|
| Posted: Mon Jan 22, 2007 9:36 pm Post subject: |
|
|
| bunkacid wrote: | | have you tried accessing the site by IP? Also what does the logs and ssl logs say? |
No change from the initial tests, but here's some more detail:
| Code: | Firefox on the client:
https://1.2.3.164 (response) 1.2.3.4 has sent an unexpected or incorrect message. Error Code: -12263
https://dev.acmecorp.com (response) dev.acmecorp.com has sent an unexpected or incorrect message. Error Code: -12263 |
| Code: | $ openssl s_client -connect dev.acmecorp.com:443 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80bd738 [0x80be7c0] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 a6 9e cf 7a ...............z
0060 - fd 6c 1a ce 27 ec 13 fa-dd c1 d0 3a d8 be 92 bb .l..'......:....
0070 - 6b 85 4f 97 d5 52 83 35-6d 8f 37 3b k.O..R.5m.7;
SSL_connect:SSLv2/v3 write client hello A
read from 0x80bd738 [0x80c3d20] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
411:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
$ openssl s_client -connect 1.2.3.4:443 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80bd680 [0x80bdd00] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 84 16 43 86 ..............C.
0060 - 58 c6 19 0d 0a e5 44 30-a4 0c 19 ac ce 66 d1 44 X.....D0.....f.D
0070 - 10 42 63 59 f3 94 a7 f9-e3 8f 2d 6f .BcY......-o
SSL_connect:SSLv2/v3 write client hello A
read from 0x80bd680 [0x80c3260] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
719:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
$ openssl s_client -connect 1.2.3.4:443/trac -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x80bd680 [0x80bdd00] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 75 85 90 e2 ............u...
0060 - 6b 08 c0 ba 4c 63 5d 07-94 8c 4c cb d6 57 a0 3e k...Lc]...L..W.>
0070 - 8b 45 a3 29 3f 9d 29 66-8f 0f 5d 4b .E.)?.)f..]K
SSL_connect:SSLv2/v3 write client hello A
read from 0x80bd680 [0x80c3260] (7 bytes => 7 (0x7))
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
SSL_connect:error in SSLv2/v3 read server hello A
720:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
$ curl https://dev.acmecorp.com
curl: (35) gnutls_handshake() failed: -8
$ curl https://dev.acmecorp.com/
curl: (35) gnutls_handshake() failed: -8
$ curl https://1.2.3.4
curl: (35) gnutls_handshake() failed: -8
$ curl https://1.2.3.4/
curl: (35) gnutls_handshake() failed: -8
$ curl https://1.2.3.4/trac
curl: (35) gnutls_handshake() failed: -8 |
| Code: | # tail /var/www/dev.acmecorp.com/logs/error_log
[Mon Jan 22 16:01:14 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01
[Mon Jan 22 16:01:42 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01
[Mon Jan 22 16:01:56 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01
[Mon Jan 22 16:09:33 2007] [error] [client 4.3.2.1] Invalid method in request \x80z\x01\x03\x01
[Mon Jan 22 16:10:00 2007] [error] [client 4.3.2.1] Invalid method in request \x80z\x01\x03\x01
[Mon Jan 22 16:10:27 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01
[Mon Jan 22 16:10:29 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01
[Mon Jan 22 16:10:51 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01
[Mon Jan 22 16:10:59 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01
[Mon Jan 22 16:11:02 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01
# tail /var/www/dev.acmecorp.com/logs/access_log
4.3.2.1 - - [22/Jan/2007:16:01:14 -0500] "\x16\x03\x01" 501 279
4.3.2.1 - - [22/Jan/2007:16:01:42 -0500] "\x16\x03\x01" 501 279
4.3.2.1 - - [22/Jan/2007:16:01:56 -0500] "\x16\x03\x01" 501 279
4.3.2.1 - - [22/Jan/2007:16:09:33 -0500] "\x80z\x01\x03\x01" 501 281
4.3.2.1 - - [22/Jan/2007:16:10:00 -0500] "\x80z\x01\x03\x01" 501 281
4.3.2.1 - - [22/Jan/2007:16:10:27 -0500] "\x16\x03\x01" 501 279
4.3.2.1 - - [22/Jan/2007:16:10:29 -0500] "\x16\x03\x01" 501 279
4.3.2.1 - - [22/Jan/2007:16:10:51 -0500] "\x16\x03\x01" 501 279
4.3.2.1 - - [22/Jan/2007:16:10:59 -0500] "\x16\x03\x01" 501 279
4.3.2.1 - - [22/Jan/2007:16:11:02 -0500] "\x16\x03\x01" 501 279 |
This command's output is munged with search-replace, but I took care not to introduce errors. The IPs are offset from their actual values, 1.2.3.4 is the one of interest to this thread:
| Code: | # apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
1.2.3.0:* is a NameVirtualHost
default server www.acmecorp1.com (/etc/apache2/vhosts.d/acmecorp1.com.conf:3)
port * namevhost www.acmecorp1.com (/etc/apache2/vhosts.d/acmecorp1.com.conf:3)
1.2.3.3:* is a NameVirtualHost
default server acmecorp2.acmecorp.com (/etc/apache2/vhosts.d/acmecorp2.acmecorp.com.conf:1)
port * namevhost acmecorp2.acmecorp.com (/etc/apache2/vhosts.d/acmecorp2.acmecorp.com.conf:1)
port * namevhost acmecorp3.acmecorp.com (/etc/apache2/vhosts.d/acmecorp3.acmecorp.com.conf:1)
port * namevhost www.acmecorp4.com (/etc/apache2/vhosts.d/acmecorp4.com.conf:1)
port * namevhost dev1.acmecorp.com (/etc/apache2/vhosts.d/dev1.acmecorp.com.conf:1)
port * namevhost www.acmecorp5.com (/etc/apache2/vhosts.d/acmecorp5.com.conf:1)
port * namevhost www.acmecorp6.net (/etc/apache2/vhosts.d/acmecorp6.com.conf:1)
1.2.3.4:80 is a NameVirtualHost
default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)
port 80 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)
1.2.3.4:443 is a NameVirtualHost
default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32)
port 443 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32)
1.2.3.12:* is a NameVirtualHost
default server www.acmecorp7.com (/etc/apache2/vhosts.d/acmecorp7.com.conf:3)
port * namevhost www.acmecorp7.com (/etc/apache2/vhosts.d/acmecorp7.com.conf:3)
1.2.3.13:* is a NameVirtualHost
default server www.acmecorp8.com (/etc/apache2/vhosts.d/acmecorp8.com.conf:1)
port * namevhost www.acmecorp8.com (/etc/apache2/vhosts.d/acmecorp8.com.conf:1)
1.2.3.14:* is a NameVirtualHost
default server www.acmecorp9.com (/etc/apache2/vhosts.d/acmecorp9.com.conf:3)
port * namevhost www.acmecorp9.com (/etc/apache2/vhosts.d/acmecorp9.com.conf:3)
1.2.3.25:* is a NameVirtualHost
default server www.acmecorp10.com (/etc/apache2/vhosts.d/acmecorp10.com.conf:3)
port * namevhost www.acmecorp10.com (/etc/apache2/vhosts.d/acmecorp10.com.conf:3)
port * namevhost dev2.acmecorp.com (/etc/apache2/vhosts.d/dev2.acmecorp.com.conf:1)
port * namevhost www.acmecorp11.com (/etc/apache2/vhosts.d/acmecorp11.com.conf:1)
1.2.3.26:* is a NameVirtualHost
default server www.acmecorp12.com (/etc/apache2/vhosts.d/acmecorp12.com.conf:3)
port * namevhost www.acmecorp12.com (/etc/apache2/vhosts.d/acmecorp12.com.conf:3)
1.2.3.29:* www.acmecorp13.com (/etc/apache2/vhosts.d/acmecorp13.com.conf:1)
1.2.3.10:* is a NameVirtualHost
default server www.acmecorp14.com (/etc/apache2/vhosts.d/acmecorp14.com.conf:3)
port * namevhost www.acmecorp14.com (/etc/apache2/vhosts.d/acmecorp14.com.conf:3)
port * namevhost www.acmecorp14.org (/etc/apache2/vhosts.d/acmecorp14.org.conf:3)
1.2.3.11:* is a NameVirtualHost
default server www.acmecorp15.com (/etc/apache2/vhosts.d/acmecorp15.com.conf:3)
port * namevhost www.acmecorp15.com (/etc/apache2/vhosts.d/acmecorp15.com.conf:3)
1.2.3.21:* is a NameVirtualHost
default server www.acmecorp16.com (/etc/apache2/vhosts.d/acmecorp16.com.conf:1)
port * namevhost www.acmecorp16.com (/etc/apache2/vhosts.d/acmecorp16.com.conf:1)
port * namevhost www.acmecorp17.com (/etc/apache2/vhosts.d/acmecorp17.com.conf:1)
wildcard NameVirtualHosts and _default_ servers:
_default_:443 localhost (/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:12)
*:80 is a NameVirtualHost
default server myhost.acmecorp.com (/etc/apache2/vhosts.d/00_default_vhost.conf:41)
port 80 namevhost myhost.acmecorp.com (/etc/apache2/vhosts.d/00_default_vhost.conf:41)
Syntax OK |
Last edited by jeffk on Tue Jan 23, 2007 1:23 am; edited 1 time in total |
|
| Back to top |
|
|
bunkacid
Tux's lil' helper
Joined: 11 Jan 2005
Posts: 111
Location: Laguna Hills, CA
|
| Posted: Tue Jan 23, 2007 1:06 am Post subject: |
|
|
try specifying the ports for each vhost instead? of using
| Code: | | 1.2.3.4:* is a NameVirtualHost |
| Code: | 1.2.3.4:80 is a NameVirtualHost
1.2.3.4:443 is a NameVirtualHost
|
|
|
| Back to top |
|
|
jeffk
l33t
Joined: 13 Sep 2003
Posts: 671
|
| Posted: Tue Jan 23, 2007 1:22 am Post subject: |
|
|
| bunkacid wrote: | try specifying the ports for each vhost? instead of using
| Code: | | 1.2.3.4:* is a NameVirtualHost |
(use)
| Code: | 1.2.3.4:80 is a NameVirtualHost
1.2.3.4:443 is a NameVirtualHost
|
(edited for clarity) |
Not sure what you meant there. 1.2.3.4 is the static IP of the NameVirtualHost I'm trying to reach via https, and it's the only one set up as you specified, if I'm understanding you correctly:
| Code: | 1.2.3.4:80 is a NameVirtualHost
default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)
port 80 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)
1.2.3.4:443 is a NameVirtualHost
default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32)
port 443 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32) |
| Code: | # cat /etc/apache2/vhosts.d/dev.acmecorp.com.conf
NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:80>
...
</VirtualHost>
<VirtualHost 1.2.3.4:443>
...
</VirtualHost> |
I'm not trying to reach the other IP/NameVirtualHosts via SSL, because several of them are sharing IPs, which I know I won't be able to do. |
|
| Back to top |
|
|
bunkacid
Tux's lil' helper
Joined: 11 Jan 2005
Posts: 111
Location: Laguna Hills, CA
|
| Posted: Tue Jan 23, 2007 6:24 pm Post subject: |
|
|
| jeffk wrote: | | bunkacid wrote: | try specifying the ports for each vhost? instead of using
| Code: | | 1.2.3.4:* is a NameVirtualHost |
(use)
| Code: | 1.2.3.4:80 is a NameVirtualHost
1.2.3.4:443 is a NameVirtualHost
|
(edited for clarity) |
Not sure what you meant there. 1.2.3.4 is the static IP of the NameVirtualHost I'm trying to reach via https, and it's the only one set up as you specified, if I'm understanding you correctly:
| Code: | 1.2.3.4:80 is a NameVirtualHost
default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)
port 80 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)
1.2.3.4:443 is a NameVirtualHost
default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32)
port 443 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32) |
| Code: | # cat /etc/apache2/vhosts.d/dev.acmecorp.com.conf
NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:80>
...
</VirtualHost>
<VirtualHost 1.2.3.4:443>
...
</VirtualHost> |
I'm not trying to reach the other IP/NameVirtualHosts via SSL, because several of them are sharing IPs, which I know I won't be able to do. |
They can share the same ip address with SSL, just not the same PORT.
you would have to use TCP/44300 , TCP/44301 for example. And use mod_rewrite to send clients to the SSL host via the non SSL port 80 vhost.
Also I meant to use a specified port for the vhosts on your box which have * set for the port.
gotta run. |
|
| Back to top |
|
|
sundialsvc4
Guru
Joined: 10 Nov 2005
Posts: 436
|
| Posted: Fri Feb 09, 2007 3:20 am Post subject: |
|
|
Not quite on-topic but worth mentioning because you will run into it sooner or later ...
"CSS Stylesheets!"
When you are serving-up an SSL-protected page, the stylesheet used in that page must come from an "HTTPS:" URI. |
|
| Back to top |
|
|
buzzin
Apprentice
Joined: 17 Oct 2003
Posts: 264
Location: St. Albans, UK.
|
| Posted: Tue Apr 10, 2007 3:52 pm Post subject: |
|
|
I ran into this issue and found that adding the following in each vhost def resolved it.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
