Having both HTTP & HTTPS (Port 443 and Port 80) sites on a server

[dsmarter]

Most of my sites are using SSL with Let's Encrypt. However, I'm looking to migrate some sites over which don't currently have SSL. To make it seamless, and so end users don't get an error about a self signed certificate, I'm looking to enable port 80 traffic. Then, once the DNS change has fully propagated, I can get Let's Encrypt to issue a cert for the migrated site.

Right now my server is basically redirecting everything to port 443. Under the Apache Admin Module, I've got the Apache Port set to 443. All other domains have an overwritten Virtual Host Settings that forward to 443 and point towards the certificate. However, I can't seem to get a single domain to not try to redirect to port 80.

My vhosts file (/etc/sentora/configs/apache/httpd-vhosts.conf) only has "Listen 443" at the top. If I remember correctly, adding port 80 as well caused HTTPD to fail to restart/load.

I am running CentOS Core 7.3.1611 on kernel 2.6.32-042stab120.16 with Sentora 1.0.3 installed.

Thanks!
Gordon

[Me.B]

1. You can create let's encrypt SSL without HTTP 80 even public, you can use DNS to athentificate with let's encrypt.

2. you can have both 80 & 443 enabled, all you have to do is create the SSL vhost & include it manually & don't use the process in the doc to set port override.

M B

[TGates]

I've got the Apache Port set to 443. All other domains have an overwritten Virtual Host Settings that forward to 443 and point towards the certificate. However, I can't seem to get a single domain to not try to redirect to port 80.

Apache service port should not be set to 443. It should always be 80 otherwise none of your non-ssl sites will work. All you need to do is change that back to 80 (From the command line as root you can enter: setso --set apache_port 80). If you are using SSL for your panel login, you change Sentora Apache Port to 443 and add your SSL information for the panel login in Global Sentora Entry adding a port forward at the end:

Code:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/cp.xxxxxx.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cp.xxxxxx.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/cp.xxxxxx.com/chain.pem
# Keeping below for future upgrades.
# Requires Apache >= 2.4
SSLCompression off
</virtualhost>
# PORT FORWARD FROM 80 TO: 443
<virtualhost *:80>
ServerName cp.xxxxxx.com
ServerAdmin postmaster@xxxxxx.com
Redirect permanent / https://cp.xxxxxx.com/

For your other domains, you select them in the custom vhost section and set port override: 443 then check Forward Port 80 to Overriden Port and add your SSL information in the Custom Entry box:

Code:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/xxxxxx.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxx.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/xxxxxx.com/chain.pem
# Keeping below for future upgrades.
# Requires Apache >= 2.4
SSLCompression off

[dsmarter]

To test this out (I had some issues switching from port 80 to port 443 on my prod server), I have set up a second VPS using this method.

The service port is 80 and I have attempted to use the VHost over ride to redirect from 80 to 443. I add in the 443 into the port override box, tick forward port 80 to overridden port and put in this:

Code:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/my.domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4
SSLCompression off

I run the sentora daemon and restart httpd service. I can see in the vhosts config that the re-direct vhosts entry has been correctly added.

Prior to doing the above, port 80 works fine. After doing the above, port 80 gives me a connection error. If I add https:// to the beginning of the domain it loads properly.

Any ideas what else I'm missing? Once I can get this working, I'll migrate my domains over and try to switch the original server over to a proper setup with port 80 as the service port.
Thanks,
Gordon

[TGates]

PM me a copy of your httpd-vhosts.conf file and I'll take a look. You could be having the same issue as this thread: HTTP Service closed (Port 80 Closed)‍ ‍ which I am working on also.

[dsmarter]

@TGates, I've PMed you the config.

[dsmarter]

Okay, so now that I am home from work and can play around, I noticed that in the "/etc/sentora/configs/apache/httpd-vhosts.conf" file, "Listen 80" was not present. Once I add this, it seems to redirect correctly.

Hopefully this is useful to someone else!

[dsmarter]

Whenever I run the Sentora Daemon, it Removes the Listen 80 from the "/etc/sentora/configs/apache/httpd-vhosts.conf" file. I added it to the top of "/etc/sentora/configs/apache/httpd.conf" and it remains when I run the daemon.

Is this the correct way to do this or is there a better way?

Thanks again,
Gordon

[TGates]

This is the exact same issue as HTTP Service closed (Port 80 Closed)‍


Me.B I did a push to master branch with this fix. https://github.com/sentora/sentora-core/...76e30f3509

Fixes issue if not using any sites on port 80
Example: All sites are using SSL, Listen 80 was not being added to the
httpd-vhosts.conf file to allow redirect from 80 to 443.

This is where the issue is in /modules/apache_admin/hooks/OnDeamonRun.hook.php lines 60-63:

PHP Code:

    while ($rowport = $portQuery->fetch()) {
        $customPorts[] = (empty($rowport['vh_custom_port_in'])) ? $VHostDefaultPort : $rowport['vh_custom_port_in'];
    }
    $customPortList = array_unique($customPorts); 


My suggested work around which seems to work for now unless there is  a better way is:

PHP Code:

   while ($rowport = $portQuery->fetch()) {
        $customPorts[] = (empty($rowport['vh_custom_port_in'])) ? $VHostDefaultPort : $rowport['vh_custom_port_in'];
    }
    // Adds default vhost port to Listen port array
    $customPorts[] = $VHostDefaultPort;
    $customPortList = array_unique($customPorts); 


[Me.B]

ok will be checking