I have created a Laravel application on my local Ubuntu machine. But I want to use HTTPS on all of its wild card sub-domains. How can I do this locally? By the way, I have added my site URL on etc/hosts so I don't need to type localhost but instead www.mysite.loc.
Answer in this question How can I install SSL on localhost in Ubuntu?, I think will only work on the main domain.
No, the answer with this question How can I install SSL on localhost in Ubuntu? is working fine. But you need to modify few lines of code in your conf file.
I manage to try it now and works fine but I got this irritating message from my browser that the site I am accessing is not secure. Though it's okay, since it is just self signed certificate.
In my /etc/hosts I added several sub domains for my local site since it will not work even you configured your virtual host properly because the site your developing is not yet accessible online.
Say, www.mydomain.com, hello.mydomain.com, world.mydomain.com
Now, we need to enable SSL module
sudo a2enmod ssl
Restart Apache
sudo service apache2 restart
Create a folder for Self-signed SSL Certificates
sudo mkdir /etc/apache2/ssl
Generate key and other stuffs for SSL
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Answer questions their and use your domain say mydomain.com as Common name
Now I edited the conf file of my virtual host which resides in /etc/apache2/sites-available/mydomain.com.conf
This is the what's inside
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin#example.com
ServerName www.mydomain.com
ServerAlias mydomain.com *.mydomain.com
DocumentRoot /home/me/projects/www/mysite_folder
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/home/me/projects/www/mysite_folder">
SSLOptions +StdEnvVars
Order allow,deny
Allow from all
# New directive needed in Apache 2.4.3:
Require all granted
AllowOverride All
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
If you already enable your virtual host, you need to skip this step. Else, type
sudo a2ensite mydomain.com.conf
Lastly, you need to restart Apache again by
sudo service apache2 restart
Hope it helps you! You can now access your site using https
Ex. https://www.mydomain.com, https://hello.mydomain.com, https://world.mydomain.com
Related
Basically facebook scraper (https://developers.facebook.com/tools/debug/og/object/) tells that:
Curl Error : SSL_CACERT SSL certificate problem: unable to get local issuer certificate
Tested my site's url here:
https://whatsmychaincert.com/?mysite.com
and this tells:
my site is misconfigured. This is the chain it should be using.
I'm scared to download the chain file from this site as I guess I already have it all from GoDaddy.
Coming back to my facebook scraper problem. I did google search and found that the Curl error is due to PHP version. As I checked, I have latest PHP running. But I still downloaded cacert.pem from official site and added in the same folder where my ssl certs reside(/etc/ssl/certs). Then edited php.ini located /opt/bitnami/php/etc.
so it reads:
curl.cainfo ="/etc/ssl/certs/cacert.pem"
Restarted apache still the issue persisted. So I focused on fixing the SSL cert issue.
This is how my default-ssl.conf looks like:
SSLCertificateFile /etc/ssl/certs/a639a4be86615af.crt
SSLCertificateKeyFile /etc/ssl/certs/mysite.key
SSLCertificateChainFile /etc/ssl/certs/mysite.com.chain.crt (downloaded from https://whatsmychaincert.com/)
SSLCACertificateFile /etc/ssl/certs/a639a4be86615af.pem
Bytheway my site shows https connection. But in Firefox I dont see any images loaded. Could that related to the (unable to get local issuer certificate)
What's wrong with my configuration? How do I fix it?
EDIT:
I'm using wordpress bitnami set.So I edited two paths for the ssl config. /etc/apache2/sites-available/default-ssl.conf and /opt/bitnami/apache2/conf/extra/httpd-ssl.conf
My latest SSL config file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin hello#mysite.com
ServerName mysite.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/b8ad60af28cd1745.crt
SSLCertificateKeyFile /etc/ssl/private/mysite.key
SSLCertificateChainFile /etc/ssl/certs/b8ad60af28cd1745.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Unlike browsers PHP Curl doesn't reconstruct the certificate tree from other sources. So if your cert tree is incomplete, CURL cannot verify your site certificate.
Your VirtualHost configuration should have following:
SSLCertificateFile - your site certificate
SSLCertificateKeyFile - key for the CertificateFile
SSLCertificateChainFile - file containing all intermediate certificates from leaf to root (so curl can connect your certificate to the one in /etc/ssl/certs/cacert.pem)
Since 2.4.8 you can put all certificates from leaf to root into SSLCertificateFile (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile)
You can test your SSL configuration using https://www.ssllabs.com/ssltest/index.html which also reports incomplete certificate tree.
I am trying to run a Site WEB on "Private Network" or by "Public Network via HTTPS (SSL) on XAMPP. I flow this etaps:
1- "C:\xampp\apache\makecert.bat" to make the Certificate.
2- httpd.conf Remove (#) form LoadModule ssl_module modules/mod_ssl.so
3- php.ini Remove (;) from extension=php_openssl.dll
Restart apache and chrome!
localhost uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: SEC_ERROR_UNKNOWN_ISSUER
https://192.168.1.100 Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Open your "apache/conf/httpd.conf" file and add the following lines (right after closing </Directory> tag):
<VirtualHost *:443>
DocumentRoot "C:\xampp\htdocs"
ServerName localhost:443
SSLEngine on
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
<Directory "C:\xampp\htdocs">
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
then restart your "Apache" and check back again "https://localhost".
I'm trying to setup my local web server using vagrant. My vagrant shared folder is in my home folder (~/home/vagrant/www) and I want to use bindfs to mount this folder inside /var/www.
These are the specs of my virtual machine:
Apache/2.4.23 (Ubuntu)
PHP 7.0.12
Ubuntu 14.04
I am using php-fpm to execute php scripts but after using bindfs, my site will always return File not found.
Also here is my virtualhost configuration:
<VirtualHost *:80>
ServerName project1.dev
## Vhost docroot
DocumentRoot "/var/www/project1/public"
## Directories, there should at least be a declaration for /var/www/project1/public
<Directory "/var/www/project1/public">
Options Indexes FollowSymlinks MultiViews
AllowOverride All
Require all granted
<FilesMatch "\.php$">
Require all granted
SetHandler proxy:fcgi://127.0.0.1:9000
</FilesMatch>
</Directory>
## Logging
ErrorLog "/var/log/apache2/av_anhk5lpgjldb_error.log"
ServerSignature Off
CustomLog "/var/log/apache2/av_anhk5lpgjldb_access.log" combined
## Server aliases
ServerAlias www.project1.dev
## SetEnv/SetEnvIf for environment variables
SetEnv APP_ENV dev
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
## Custom fragment
</VirtualHost>
Anyone can help me?
I manage to successfully run php-fpm + bindfs in my virtual machine. I just made sure that user who is running php-fpm and apache are the one I set in my bindfs command. My apache is run by www-user so I change my command to sudo bindfs -o perms=0755,mirror-only=www-user,force-group=www-data,force-user=www-user /home/vagrant/www /var/www and made sure that apache is also run by www-user.
I have a mediawiki site on Ubuntu 14.04, that is working perfectly, and is housed at /var/www/html
I'm trying to get https setup on the server, and I haven't been able to get that done yet. Here's my current port 80 configs, and I'll show what I'm trying below that.
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerName mywiki.com
ServerAlias http://mywiki.com
DocumentRoot /var/www/html
</VirtualHost>
/var/www/html/LocalSettings.php
#this is the only relevant line...I think.
$wgServer = "http://mywiki.com"
The changes I'm making, in order, are below
1. Change $wgServer value to //mywiki.com
2. Edit /etc/apache2/sites-available/default-ssl.conf to the following
<VirtualHost _default_:80>
ServerName mywiki.com
Redirect permanent / https://mywiki.com
</VirtualHost>
<VirtualHost _default_:443>
ServerName mywiki.com
ServerAlias https://mywiki.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/my.crt
SSLCertificateKeyFile /etc/apache2/ssl/my.key
</VirtualHost>
3. Stop apache from using the old 000-default.conf file by running sudo a2dissite 000-default.
4. Start using the new ssl default file by running sudo a2ensite default-ssl.
5. Restart Apache2 sudo /etc/init.d/apache2 restart
At this point, apache2 restarts correctly, and there are no errors from the output or in the error.log. However, when I go to the site by typing mywiki.com it doesn't redirect me to https, and now it shows the :80 section of the site as the Index of / html/.
When I try to manually go to https://mywiki.com, I get a page not available, like it's not even trying.
Where am I going wrong?
This was a silly solution, but I imagine on a product like mediawiki, I won't be the last to make this mistake.
I never enabled the ssl module
sudo a2enmod ssl
I went through tens of tutorials on how to setup ssl on mediawiki, and none of them mentioned this. It's pretty obvious if you work on lots of websites, but I don't, and hopefully this helps someone in the future.
You are missing a ServerName. This might be it. Could you attempt this configuration:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName mywiki.com
Redirect permanent / https://mywiki.com
</VirtualHost>
<VirtualHost _default_:443>
ServerName mywiki.com
ServerAlias www.mywiki.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/my.crt
SSLCertificateKeyFile /etc/apache2/ssl/my.key
</VirtualHost>
I'm trying to setup some VH in Apache 2.4.6 on CentOS 7 but without success since it's not working. This is what I've tried til now:
Since in /etc/httpd/conf/httpd.conf is this line Include conf.modules.d/*.conf then I create a file under /etc/httpd/conf.d/vhost.conf and place this inside it:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName webserver
ServerAlias localhost devserver development
DocumentRoot /var/www/html
</VirtualHost>
Reload/Restart Apache service (tried both):
service httpd reload|restart
At Windows side edit the file C:\Windows\system32\drivers\etc\hosts and add this line:
192.168.3.131 webserver localhost devserver development # this is the IP of Apache Server
Open the browser and tried: http://webserver, http://devserver and both goes to default Apache page so VH is not working.
Place a file under /var/www/html/index.php with this lines <?php phpinfo(); ?> just to know which modules is Apache loading, this is the result:
core mod_so http_core mod_access_compat mod_actions mod_alias mod_allowmethods mod_auth_basic mod_auth_digest
mod_authn_anon mod_authn_core mod_authn_dbd mod_authn_dbm mod_authn_file mod_authn_socache mod_authz_core
mod_authz_dbd mod_authz_dbm mod_authz_groupfile mod_authz_host mod_authz_owner mod_authz_user mod_autoindex
mod_cache mod_cache_disk mod_data mod_dbd mod_deflate mod_dir mod_dumpio mod_echo mod_env mod_expires mod_ext_filter
mod_filter mod_headers mod_include mod_info mod_log_config mod_logio mod_mime_magic mod_mime mod_negotiation
mod_remoteip mod_reqtimeout mod_rewrite mod_setenvif mod_slotmem_plain mod_slotmem_shm mod_socache_dbm
mod_socache_memcache mod_socache_shmcb mod_status mod_substitute mod_suexec mod_unique_id mod_unixd mod_userdir
mod_version mod_vhost_alias mod_dav mod_dav_fs mod_dav_lock mod_lua prefork mod_proxy mod_lbmethod_bybusyness
mod_lbmethod_byrequests mod_lbmethod_bytraffic mod_lbmethod_heartbeat mod_proxy_ajp mod_proxy_balancer mod_proxy_connect
mod_proxy_express mod_proxy_fcgi mod_proxy_fdpass mod_proxy_ftp mod_proxy_http mod_proxy_scgi mod_systemd mod_cgi mod_php5
And apparently mod_vhost is loaded but is not working, did I miss something? Any help or advice around this? Maybe I forgot something but I read Apache docs and doesn't found something helpful
Update: test1
I made some changes to VH definition and now this is what I have:
<VirtualHost *:80>
DocumentRoot /var/www/html
ServerName webserver
#ServerAlias localhost devserver development
<Directory "/var/www/html">
Options FollowSymLinks Includes ExecCGI
AllowOverride All
Allow from all
#Require local
#Require 192.168.3.0/16
#Require 192.168.1.0/16
</Directory>
</VirtualHost>
But I'm getting a 403 Forbidden
Forbidden
You don't have permission to access /index.php on this server.
What is failing here?
To elaborate on jap1968's post, CentOS 7 comes with SELinux's pain in the butt level set to enforcing. This causes all kinds of confusion when perfectly normal service configuration silently fail (Apache).
To disable SELinux you'll need to:
0) [optional] Crack open a shell and become root... or enjoy a shiny new, super fun, configuring sudo to let you do "root stuffs" project. Probably.
su -l
1) Get the current status of SELinux. Run sestatus:
sestatus
2) If SELinux is causing hair loss and premature aging you'll get something like this:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
3) Edit the /etc/selinux/config file. Change SELINUX=enforcing to SELINUX=permissive. Doing this will set you up for endless joy next time you reboot. You'll end up with something like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUX=enforcing
# ===> VOODOO HERE <===
SELINUX=permissive
# ===> END VOODOO <===
#
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
4) Disable SELinux. You can reboot at this point but it's easier to tell SELinux to take time off from tormenting you. Run setenforce to reset SELinux's enforcement level to match the /etc/selinux/config file:
setenforce 0
5) Check sestatus again:
sestatus
If everything went as expected sestatus will return something like this:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
6) Restart Apache. If your vhost's domain name is resolving to the server you're working on you'll see your shiny new virtual host:
# Restart apache:
systemctl restart httpd.service
# Be lazy by checking your virtual host from the command line:
curl www.example.com/new-file-that-only-exists-in-your-new-vhost.txt
6.5) Stop reading here. Or don't. I'm a message board post, not your Mom.
Everything below is beyond the scope of the original question and only included because you really should be running with SELinux enabled.
7) Work towards re-enabling selinux. Start by watching the selinux logs to see some awesome alphabet soup:
tail -f /var/log/audit/audit.log
8) Be amazed at the depth of features, crazy number of poorly named utilities, and ugly UX mess that constitutes SELinux. You should probably put on your big boy pants and drink a whole pot of coffee before you dive in. Here's some Info:
CentoOS HowTo: https://wiki.centos.org/HowTos/SELinux
Project: http://selinuxproject.org/page/Main_Page
A couple of thing that may be causing you problems :-
NameVirtualHost *:80
Is no longer a valid syntax for Apache 2.4.x you should remove it completely.
On the Windows side once you have changed the HOSTS file, you need to reload the DNS Client service, so either reboot or better still, launch a command window using "Run as Administrator" and do this :-
net stop dnscache
net start dnscache
Lastly, within your virtual hosts definition, it will help to tell apache from where it is allowed to accept connections to this Virtual Host like so :-
<VirtualHost *:80>
ServerName webserver
ServerAlias localhost devserver development
DocumentRoot /var/www/html
<Directory "/var/www/html">
AllowOverride All
Require local
Require ip 192.168.3
</Directory>
</VirtualHost>
This will allow access from the machine running apache Require local and from any ip address on the local network Require ip 192.168.3
Also I am not sure where Apache on unix puts its default document root but it might be an idea to differentiate your 3 domain names to different directories like so
<VirtualHost *:80>
ServerName localhost
ServerAlias localhost
DocumentRoot /var/www/html
<Directory "/var/www/html">
AllowOverride All
Require local
Require ip 192.168.3
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName webserver
ServerAlias webserver
DocumentRoot /var/www/html/webserver
<Directory "/var/www/html/webserver">
AllowOverride All
Require local
Require ip 192.168.3
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName development
ServerAlias development
DocumentRoot /var/www/html/development
<Directory "/var/www/html/development">
AllowOverride All
Require local
Require ip 192.168.3
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName devserver
ServerAlias devserver
DocumentRoot /var/www/html/devserver
<Directory "/var/www/html/devserver">
AllowOverride All
Require local
Require ip 192.168.3
</Directory>
</VirtualHost>
Then put a simple html file in each directory saying 'Hello from Servername' and change servername in each file so you know you have got to the correct server.
RE: Update test1.php
Allow from all
Is not valid Apache 2.4 syntax either, unless you have loaded LoadModule access_compat_module modules/mod_access_compat.so
Even then it should be
Order Allow,Deny
Allow from all
So USE Apache 2.4 syntax
Require all granted
If you want to take the lazy route and allow access from the universe.
Be careful also with SELinux. The default configuration will prevent your virtual hosts directories from being accessed by httpd. You will need to set the appropriate context:
# chcon -R -u system_u -r object_r -t httpd_sys_content_t <DocumentRoot>
Another option is just to disable SELinux.