Multiple Websites and Subdomains with SSL/TLS in Apache2: Virtualhosts

Want to host more than one website on your Raspberry Pi, without having to pay for multiple IP addresses? You can do this easily using Apache’s name-based VirtualHost configuration feature.

This feature allows someone to connect to your Raspberry Pi (or other server) and get served different content based on the host header they sent with their request. This is automatic, and the user is none the wiser: they simply type your web address in the header, and your server uses that information to decide which website to display. Unless you tell them, they won’t know the Pi is also hosting other content.

General Rules

Out of the box, Apache2 on Raspbian has two files with VirtualHost configuration parameters inside. One is at /etc/apache2/sites-available/default and the other is at /etc/apache2/sites-available/default-ssl. The default file is enabled (which symlinks it to /etc/apache2/sites-enabled) and the default-ssl is not.

You can have as many or as few VHosts as you like; you can put all the VirtualHosts in the same file, or store them separately – Apache2 will work just the same either way.

If you opt for the different files method, here are some useful commands. Use this one to enable a site you’ve added to /etc/apache2/sites-available/site:

sudo a2ensite site

And use this one to disable it again:

sudo a2dissite site

Apache reads configuration files stored in /etc/apache2/sites-enabled/ in alphanumerical order. The first VirtualHost block it reads is set as the default, and is used if no host header information is sent in the request.

If more than one VirtualHost is defined, then Apache matches the host header against the ServerName and ServerAlias directives defined in the VirtualHosts to decide which content to serve.

If no host header is sent, or a match cannot be found, then the default VHost is used. You can test which is the default VHost by typing the Pi’s IP address into your browser’s address bar.

If you’re confused by this, don’t worry. It’ll probably make sense when you see some examples. I’m going to cover HTTP hosts first because they’re easiest, and then move on to SSL/TLS HTTPS hosts because they have some extra bits to consider.

HTTP Hosts

Here is a typical VirtualHost block:

<VirtualHost *:80>
        ServerAdmin webmaster@samhobbs.co.uk
        ServerName www.samhobbs.co.uk:80
        ServerAlias samhobbs.co.uk

        DocumentRoot /var/www
 
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/samhobbs/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/samhobbs/access.log combined
</VirtualHost>
  1. The VirtualHost line tells Apache to match any IP address on port 80
  2. ServerAdmin defines the email address that is sent in error messages so that users can contact you about problems
  3. ServerName is the fully qualified domain name of the site. You can optionally include the port, e.g. www.example.com:80 for port 80
  4. ServerAlias provides additional names to match against host headers when Apache is deciding on which virtual host to use.
  5. DocumentRoot is the path to the directory that contains all the site data. In Debian, Apache’s data directory is /var/www. If you have lots of sites, then you probably want to make a directory for each site like /var/www/site1 /var/www/site2, and specify the appropriate directory here
  6. Directory specific options can be set inside a directory block. Options starts the list
    • Indexes means that if there is no index.html or index.php file inside the directory, Apache will create an auto formatted list of everything in the directory.
    • FollowSymLinks allows Apache to follow symbolic links
    • MultiViews allows content driven negotiation to take place, where the server can decide which version of a page (if more than one version exists) to send based on the client’s browser preferences
    • AllowOverride all means that the global defaults for Apache can be overridden with an .htaccess file placed inside the directory.
    • The “order allow,deny…” section allows you to specify IP ranges to block or enable. This one allows everyone.
  7. ErrorLog specifies where Apache should write the error log file for this VHost. ${APACHE_LOG_DIR} is /var/log/apache2. I like to create a new directory for each VHost like /var/log/apache2/samhobbs and then stick the log files in there.
  8. LogLevel specifies the severity of event you’d like to be written to the log.
  9. The CustomLog format combines information about access, agent and referrer into one file.

Adding More VHosts

#============================== ANTI PROXY SPAM =============================

<VirtualHost *:80>
        ServerName default.only
        <Location />
                Order allow,deny
                Deny from all
        </Location>

        ErrorLog ${APACHE_LOG_DIR}/spam/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/spam/access.log combined

</VirtualHost>

#================================= WEBSITE ===================================

<VirtualHost *:80>
        ServerAdmin webmaster@samhobbs.co.uk
        ServerName www.samhobbs.co.uk:80
        ServerAlias samhobbs.co.uk

        DocumentRoot /var/www/samhobbs/
 
        <Directory /var/www/samhobbs/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/samhobbs/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/samhobbs/access.log combined
</VirtualHost>

#============================= SECOND WEBSITE ===============================

<VirtualHost *:80>
        ServerAdmin webmaster@samhobbs.co.uk
        ServerName tomhobbs.co.uk:80
        ServerAlias www.tomhobbs.co.uk

        DocumentRoot /var/www/tomhobbs/
 
        <Directory /var/www/tomhobbs/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/tomhobbs/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/tomhobbs/access.log combined
</VirtualHost>

In the above file, there are two “real” websites (www.samhobbs.co.uk and tomhobbs.co.uk) plus that default VHost that blocks everything else.

Notice that:

  1. Each “real” website has its own directory (e.g. /var/www/site1 and /var/www/site2. If you place one website inside another’s directory then you’ll be able to access website 2 from within website 1, e.g. www.site1.com/site2/
  2. Each website’s logs are written to a separate location (/var/log/apache2/site1 and /var/log/apache2/site2) for ease of use. This is also handy if you want to use something like Webalizer for analytics.
  3. The webmaster email address is the same for both because in both cases I’m the admin

The default.only VHost is just there to block drive-by spam and automated script attacks that hammer IP addresses at random. My public IP address is 195.166.151.235 – try pasting this into your search bar to see how the default VHost will look to anyone trying the server by its IP.

This blocks more spam than you might think, and takes a bit of load off your server: no legitimate user is going to type an IP address into their browser to visit your page, so your processing power and bandwidth are saved for legitimate users.

Here’s an example of a post that was blocked by this technique. I don’t know exactly what this is, maybe comment spam, but you don’t have to be a genius to realise it wasn’t good news:

173.230.149.43 - - [07/Jan/2014:15:46:32 +0000] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 403 465 "-" "-"

A note about VHost file locations

Installation instructions for some software like Squirrelmail (including my own tutorial) ask you to create symbolic links from that program’s configuration folder to Apache’s /etc/apache2/conf.d/ folder.

Remember how I said that the first VirtualHost block that Apache reads is used as the default? If the symlinked configuration files contain VirtualHost blocks then they may be loaded before your default.only VirtualHost block, and become the default.

So, you have two options: you can either symlink somewhere else, like /etc/apache2/sites-available/squirrelmail and then enable them (e.g. sudo a2ensite squirrelmail). This should allow you to control the order. Alternatively, you could add that default.only VirtualHost to the start of the squirrelmail config file, so that it is still read first.

HTTPS Hosts

Name based HTTPS hosts are a little more complicated that HTTP hosts. You can still get Apache to choose which content to serve based on the host header, but since the encrypted connection is established before this negotiation happens, every HTTPS VirtualHost must use the same SSL Certificate. The SSL cert that is defined in the first SSL/TLS VirtualHost block that is read is used for all HTTPS VirtualHosts on the server.

This can lead to certificate errors in a web browser, since the Common Name on the certificate won’t match the domain name for the second site (assuming you use a cert that matches your main site as the default cert). For websites like my brother’s, that’s probably not an issue as you may not be serving any HTTPS content to normal users, i.e. only the admin backend uses SSL/TLS. Your communications will still be encrypted, but you’ll have to click through a warning since the identity of the site can’t be verified.

If you don't have your own SSL certificate, you might like to generate one yourself and get it signed by CAcert

Here’s an example:

<IfModule mod_ssl.c>
NameVirtualHost *:443

#=============================== ANTI SPAM ================================
<VirtualHost *:443>
        ServerName default.only
        <Location />
                Order allow,deny
                Deny from all
        </Location>

        SSLEngine on
        SSLCertificateFile /path/to/your/cert.crt
        SSLCertificateKeyFile /path/to/your/key.key
</VirtualHost>

#================================ WEBSITE ===================================

<VirtualHost *:443>
        ServerAdmin webmaster@samhobbs.co.uk
        ServerName www.samhobbs.co.uk
        ServerAlias samhobbs.co.uk

        DocumentRoot /var/www/samhobbs

        <Directory /var/www/samhobbs>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/samhobbs/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/samhobbs/ssl_access.log combined

        SSLEngine on
        SSLCertificateFile /path/to/your/cert.crt
        SSLCertificateKeyFile /path/to/your/key.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

#============================= SECOND WEBSITE ================================

<VirtualHost *:443>
        ServerAdmin webmaster@samhobbs.co.uk
        ServerName tomhobbs.co.uk
        ServerAlias www.tomhobbs.co.uk

        DocumentRoot /var/www/tomhobbs

        <Directory /var/www/tomhobbs>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/tomhobbs/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/tomhobbs/ssl_access.log combined

        SSLEngine on
        SSLCertificateFile /path/to/your/cert.crt
        SSLCertificateKeyFile /path/to/your/key.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

</IfModule>

Some additional things worth noting:

  1. NameVirtualHost *:443 is required before your first HTTPS VirtualHost, and tells Apache you want to use name based SSL/TLS VirtualHosts.
  2. You may see an IfModule statement bracketing your SSL hosts in /etc/apache2/sites-available/default-ssl – this is used to make sure if mod_ssl is missing, Apache can still start properly (everything inside the statement is ignored). To enable the SSL module, use sudo a2enmod ssl.

The same rules apply with HTTPS VirtualHosts as applied with HTTP VirtualHosts with regard to programs like Squirrelmail. You can check which is the default SSL VHost by typing your public WAN IP address into the address bar preceded with https:// . This will also show you which cert is in use (click the padlock icon location next to the address bar to see cert details); expect to get a certificate error regardless of which cert you’ve set as your IP won’t match the certificate’s Common Name!

Redirecting HTTP to HTTPS

You may find it useful to redirect all HTTP traffic to HTTPS for things like webmail. Here’s an example configuration for Squirrelmail. Define an HTTP virtualhost that just redirects traffic, and then add a HTTPS virtualhost as normal:

#=========================== HTTP redirect to HTTPS ==================================

<VirtualHost *:80>
ServerName webmail.samhobbs.co.uk
<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location />
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>
</VirtualHost>

#================================ SQUIRRELMAIL =====================================

<IfModule mod_ssl.c>
<VirtualHost *:443>
  DocumentRoot /usr/share/squirrelmail
  ServerName webmail.samhobbs.co.uk

<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>

ErrorLog ${APACHE_LOG_DIR}/squirrelmail/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/squirrelmail/ssl_access.log combined

SSLEngine on
SSLCertificateFile /path/to/your/cert.crt
SSLCertificateKeyFile /path/to/your/key.key

</VirtualHost>
</IfModule>

Perfect Forward Secrecy, and HTTP Strict Transport Security (HSTS)

Perfect forward secrecy is a tool that helps mitigate the effects of an attacker obtaining your private key, and HTTP Strict Transport Security helps to prevent Man In The Middle (MITM) attacks.

I have covered both of these things in this tutorial about configuring this site to be SSL-only.

Hopefully, that has helped you get your head around SSL/TLS VirtualHosts in Apache2. If you’re stuck, let me know and I’ll try to help out!

Type: 

Comments

Under the section "HTTPS Hosts" the last line in that configuration file should be </IfModule>. I also sent you a email. Thanks for the awesome site!

Are you talking about a specific dynamic dns service like dyn.com, or are you using your DNS provider's free dynamic dns service? Why don't you want to register your second domain?

You can serve multiple websites from one IP address (but you can only have one HTTPS domain) - have you seen my tutorial about virtualhosts for Apache? The DNS records just tell the client which IP address to connect to for a given domain, and then the client sends the domain they want to connect to in the HTTP header, which Apache uses to work out which page to serve.

Sam

Sam, maybe I worded that badly or incorrectly so I will try again.
I already have k9t.za.net registered as a domain and if pinged the domain resolves IP to 66.228.52.163 and it is currently hosted at linode.com.
What I am looking for is a method whereby I can switch it to my local server at rpibee.com at the IP of 105.208.68.243. In other words when someone enters www.k9t.za.net into their browser I no longer want their browser to connect to linode.com but rather connect to rpibee.com.

I'm just confused because you said you don't want to use dynamic dns for k9t.za.net, but presumably you are already using dynamic dns for rpibee.com? I don't understand why you don't want to set up dynamic dns - it shouldn't cost you anything, and you already know how to do it, so what's stopping you?

Sam

Hi
I get an error when I trided your tut. When I go to my website with https I gives me a simple page with just a heading and I says "Access Error 404 -- Not Found" any help. I did put the https config in default not default-ssl because default-ssl was not symlinked to sites-enabled.

The symlink to sites-enabled is created by running:

sudo a2ensite default-ssl

...Where default-ssl is the name of the configuration file you want to enable. The way you have done it should be fine, though.

Did you reload apache after making your changes (sudo service apache2 reload)? I'm surprised you got a 404, a 403 (forbidden) would be more like the kind of problem I would expect. Where's your document root for the two sites? Make sure it's the same for the https site as http, or the https site may be looking in the wrong place for the files.

Sam

Thanks! I figured out that I didn't need to have the port numbers changed in the virtual host, and once I put them all back to 80 it worked fine. Cheers!!

Hi Sam

I have a question about https with owncloud.
I have my apache2 with default port 8010 and secure port as 9443 (I have more then one rpi :D).

I was trying yours tutorial "HTTPS Hosts" and I have no https :(

Should I use? <VirtualHost *:8010>
and <VirtualHost *:9443>

Yes, I think so. Are you specifying the port in the URL bar?

BTW, when you post tags like < you nees to either write it "&l t;" without the space in html comments or post as plain text, or it won't display properly in your comment (I edited your previous comment).

Sam

What happens? Connection refused?

Did you enable the apache ssl module and forward the correct port on your router?

Sam

Hi Sam,
I have one server running a site my_url.net/site1 as an HTTP site.

Is it possible to add a second (virtual host) so that my_url.net/site2 is an HTTPS site?

Newbie here struggling with apache2 config and .htaccess files

regards
Tim

It's better to separate sites by domain, or by subdomain, otherwise they are part of the same virtualhost. Trying to redirect part of a domain to HTTPS while the other part is HTTP will be a bit hacky, but it's possible.

Sam

Hi Sam - long time reader, first time poster - love your work :D

I've been setting up a few Pi, and have a fully functional e-mail server as per your tutorials, which works fine. I've also got a second Pi on my local network that I'm hosting a mediawiki installation on. I realise that I could host the wiki on the same Pi as my mail server, but I'd like to keep the separate (and am enjoying the learning experience this question is taking me on). Is there a way to set up a reference in VirtualHosts to point incoming traffic to an IP address on a different box on my network?

My setup with noip has aztheartist.com.au, webmail.aztheartist.com.au, and azwiki.aztheartist.com.au all pointing at my external IP. I'm already able to access webmail.aztheartist.com.au externally (via HTTPS), and aztheartist.com.au also shows the webmail login page. My wiki is set up on an internal IP address, and is also functioning perfectly from internal addresses. I'd just like to use azwiki.aztheartist.com.au to access the wiki externally, and would prefer not to mess around with a Port 80 redirect to do it.

I've also had a peak at the VirtualHost doco, and found the following which I think describes the sort of thing that I'm after:

https://httpd.apache.org/docs/2.4/vhosts/examples.html#proxy
"Using Virtual_host and mod_proxy together"

I've tried updating /etc/apache2/sites-available/default with this, but broke everything doing it. Am I barking up the wrong tree, or are you able to point me in the right direction to get it right?

Thanks in advance for any help you can give :D

Hi Aaron,

What you're talking about is using the "main" pi as a gateway proxy. I've done it before, but to be honest I don't think it's worth the hassle - all the traffic has to be passed through the main pi and the only benefit is that if the server does some heavy lifting then that work is done on a separate CPU (but the main pi still has to forward the requests).

If you're going to experiment with that module, be careful! I messed up the config when I was new to this and accidentally made my server an open proxy!

Sam

Hi Sam,

I'm still battling away with my Vhosts and was going through my apache log files. I found the following:

[Mon Feb 29 22:06:35.598897 2016] [mpm_prefork:notice] [pid 22793] AH00169: caught SIGTERM, shutting down
[Mon Feb 29 22:06:36.962607 2016] [ssl:warn] [pid 23192] AH01909: www.pi-box.co.uk:443:0 server certificate does NOT include an ID which matches the server name
[Mon Feb 29 22:06:37.286175 2016] [ssl:warn] [pid 23193] AH01909: www.pi-box.co.uk:443:0 server certificate does NOT include an ID which matches the server name
[Mon Feb 29 22:06:37.309107 2016] [mpm_prefork:notice] [pid 23193] AH00163: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1k configured -- resuming normal operations
[Mon Feb 29 22:06:37.309365 2016] [core:notice] [pid 23193] AH00094: Command line: '/usr/sbin/apache2'

I 'fixed' it by changing the ServerName from www.pi-box.co.uk to pi-box.co.uk and ran the error.log again:

[Mon Feb 29 22:08:18.961161 2016] [mpm_prefork:notice] [pid 23193] AH00169: caught SIGTERM, shutting down
[Mon Feb 29 22:08:20.938313 2016] [mpm_prefork:notice] [pid 23406] AH00163: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1k configured -- resuming normal operations
[Mon Feb 29 22:08:20.938669 2016] [core:notice] [pid 23406] AH00094: Command line: '/usr/sbin/apache2'

I didn't know what these meant and saw it said something about the command line, so I tried it:

admin@pi-box:~ $ /usr/sbin/apache2
[Mon Feb 29 22:14:00.668862 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOCK_DIR} is not defined
[Mon Feb 29 22:14:00.669265 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[Mon Feb 29 22:14:00.669406 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[Mon Feb 29 22:14:00.669484 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[Mon Feb 29 22:14:00.669602 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon Feb 29 22:14:00.781408 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
[Mon Feb 29 22:14:00.783452 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon Feb 29 22:14:00.784836 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon Feb 29 22:14:00.785006 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon Feb 29 22:14:00.785627 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon Feb 29 22:14:00.785771 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon Feb 29 22:14:00.786143 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon Feb 29 22:14:00.786258 2016] [core:warn] [pid 23568] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00526: Syntax error on line 74 of /etc/apache2/apache2.conf:
Invalid Mutex directory in argument file:${APACHE_LOCK_DIR}

Any idea>

Thx,

Jo

Doesn't look like the second paste from error.log had any errors, it was just logging that you had restarted apache?

If you run apache2 straight from the commadline like that, of course you'll get a ton of errors because it won't know where your config is etc, and it'll be running as your user instead of www-data, and all sorts of other problems. You should never have to run it like that.

Sam

Hi Sam,

Great information on here, thanks. Ive used it to create an Owncloud instance on pi.

I have one problem though: although I have forced http>https connections it won't resolve the correct url path. Can you help?

*MyIPAddress* = my LAN assigned IP i.e. by my router 192.168.xxx.xxx

I have put the following in my "/etc/apache2/sites-available/default-ssl" file:

ServerName *MyIPAddress*

Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

I have put the following in my "/etc/apache2/sites-available/default" file:

ServerName *MyIPAddress*
Redirect permanent / https://*MyIPAddress*/owncloud

I got this from: https://doc.owncloud.org/server/8.2/admin_manual/configuration_server/ha...

Owncloud sits in /var/www/owncloud

PROBLEM:

When I navigate to "http://*MyIPAddress*/owncloud" it resolves to "https://*MyIPAddress*owncloud" - ie no "/" between *MyIPAddress* and owncloud.

This tells me http>https redirect is working, but it won't insert the "/", and thus resolve correctly.

https://*MyIPAddress*/owncloud resolves to the Owncloud log in page perfectly.

Any ideas? Let me know if you need more details.

Cheers
Mark

Hi Mark,

I'm sure I'm missing something obvious, but I can't see why that shouldn't work. It's a bit odd to try and redirect / to /owncloud like that though.

If you're not serving any content on / then the simplest thing to do would be to remove the redirect altogether and change the DocumentRoot in your virtualhost file to /var/www/owncloud.

Sam

Thanks Sam. Just trying to understand what you suggested- by removing this from my "/etc/apache2/sites-available/default" file:

ServerName *MyIPAddress*
Redirect permanent / https://*MyIPAddess*/owncloud

and adding "/owncloud" to the DocumentRoot line in the same file...I am stopping any one connecting via http because nothing now exists at http. Is that correct?

It seems to have solved the problem, in that http://*MyIPAddress*/owncloud now returns a 404 - "The requested URL /owncloud was not found on this server." And therefore the only way I can connect is via https://*MyIPAddress*/owncloud. https works perfectly.

....though now when I navigate to http://*MyIPAddress* i.e. with no /owncloud it resolves to my own cloud login screen - so neither over https nor at the correct domain.

Could the issue be anything to do with the fact I run two users on the Pi. I have the original "pi@..." and another "owncloud@...". Would that be confusing things?

Its driving me mad!

Happy to take this offline if you wish.

Mark

Not quite, /owncloud returns a 404 because your virtualhost now serves content from the owncloud folder because we changed the DocumentRoot, and there's no owncloud folder within the DocumentRoot! I should have told you to replace the redirect with another one instead of removing it. For example you can replace this:

Redirect permanent / https://*MyIPAddess*/owncloud

with this:

Redirect permanent / https://1.2.3.4/

(with the updated DocumentRoot in both your http and https virtualhosts). There's no point in having /owncloud in the path if you aren't serving something else on the root of your domain (e.g. a wordpress blog or something like that).

Also, do you not have a domain name? It's unusual to use the IP address instead of the domain name in your ServerName unless you have to. You should still have a ServerName of some kind in there though (your last comment reads like you removed it entirely).

Sam

Brilliant Sam, thats all seems to work now. A URL is the next step - I wanted a proof of concept before forking out on one. I think ill be wanting to run a number of sub-domains e.g. documents.url.com for owncloud, email.url.com for webmail etc, so may need to come back to you to get the document paths correct for this. Cheers. Mark.

Hi Sam,
I got a status report on Apache2. What are these? It refer to a FQDN 127.0.1.1 I definitely don't have this. The other information said "
NameVirtualHost has no effect and will be removed." What is this to ask for removing something? The last one is depricated about apache2SecReadStateLimit. I don't know this also. Wish your brilliant explanation. This did not make any bad clout on running but I still want to know. Thank you.


● apache2.service - LSB: Apache2 web server
Loaded: loaded (/etc/init.d/apache2)
Active: active (running) since Mon 2016-04-11 22:45:21 CST; 13min ago
Process: 2601 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
Process: 2561 ExecReload=/etc/init.d/apache2 reload (code=exited, status=0/SUCCESS)
Process: 2626 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/apache2.service
├─2641 /usr/sbin/apache2 -k start
├─2647 /usr/sbin/apache2 -k start
├─2648 /usr/sbin/apache2 -k start
├─2649 /usr/sbin/apache2 -k start
├─2650 /usr/sbin/apache2 -k start
├─2651 /usr/sbin/apache2 -k start
├─2661 /usr/sbin/apache2 -k start
└─2696 /usr/sbin/apache2 -k start

Apr 11 22:45:17 raspberrypi apache2[2626]: Starting web server: apache2SecReadStateLimit is depricated, use SecConnReadStateLimit instead.
Apr 11 22:45:18 raspberrypi apache2[2626]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/default-ssl.conf:2
Apr 11 22:45:18 raspberrypi apache2[2626]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Apr 11 22:45:21 raspberrypi apache2[2626]: .
Apr 11 22:45:21 raspberrypi systemd[1]: Started LSB: Apache2 web server.

These are warnings, not errors:

  • Regarding 1, read this (looks like the CRS rule for slow DoS protection needs to be updated for the new version of apache. I suspect the old rule will still work for a while, and the warning has been implemented in the new version to get people to update their configurations).
  • To remove the second error, remove NameVirtualHost from your default-ssl virtualhost file (comment it out)
  • To get rid of the other error, place ServerName foo.com in your apache2.conf file

Sam

Pages

Add new comment