httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apache-httpd-us...@thomas.freit.ag
Subject Re: [users@httpd] HSTS verification
Date Sat, 03 Jul 2021 09:20:08 GMT
Hi,

On 02.07.21 09:27, @lbutlr wrote:
> When checking for https HSTS compliance on htstpreload.org I get a warning 
> 
>> We cannot connect to https://example.net using TLS ("Get https://example.net: http:
server gave HTTP response to HTTPS client").

What is in your access logs, can you identify the request and check which virtual hosts served
it? You can enable logging of the
virtual host in the access log or log to dedicated files (see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
for
a list of what is available).

> And I do not understand how this can be. The page in questions loads as https with a
valid cert and the http query is set to redirect to https
> 
> <VirtualHost ip.ad.re.ss:443>
>    ServerName www.example.net
>    ServerAlias foo.example.net
>    ServerAlias example.net
>    DocumentRoot /usr/local/www/example/
>    DirectoryIndex index.html
>    ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/usr/local/www/example/$1
>    SSLEngine on
>    SSLCertificateFile /usr/local/etc/dehydrated/certs/example.net/cert.pem
>    SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/example.net/privkey.pem
>    SSLCertificateChainFile /usr/local/etc/dehydrated/certs/example.net/chain.pem
>    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
>    SSLHonorCipherOrder on
>    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
>    #SSLUseStapling On
>    Header always set Strict-Transport-Security "max-age=15638400; includeSubdomains;"
>    Header always set X-Frame-Options DENY
>    Alias /.well-known/ /usr/local/www/.well-known/
> </VirtualHost>
> 
> <VirtualHost *:80>
>    ServerName www.example.net
>    ServerAlias foo,example.net
>    ServerAlias example.net
>    ServerAlias webmail.example.net
>    Redirect / https://www.example.net/
>    Alias /.well-known/ /usr/local/www/.well-known/
> </VirtualHost>
> 
> 

I do not see anything onbviously wrong here (there is a typo on "ServerAlias foo,example.net"
though, assume this is just an example issue).
However, your TLS virtualhost is bound to a fixed IP, your plain HTTP virtual host is bound
to all available IPs on the machine.

My guess would be virtual host mismatch or a DNS specific issue (does example.net resolve
to different IPs for different resolvers?). Again
access logs may reveal some more information on that.

hth,
Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message