0

I have tried to configure a non-www website on Ubuntu 18.04 with Apache 2.4 and I've managed to make things work, my https://example.me works fine. But, www.example.me subdomain is also active (because I've added ServerAlias). The https://www.example.me opens as well and shows no certificate which makes me confused - shouldn't it redirect to https://example.com ? What is a good practice here - should I have both www and non-www subdomains and a separate conf file for each? Should I use only one of them with permanent redirection? Why is redirection not working here, do I need some other directive?

Kind regards.

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/mysite.me.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mysite.me.key
        SSLCertificateChainFile /etc/apache2/ssl/mysite.me.crt
        DocumentRoot /var/www/html
        ServerName https://example.me
        ServerAlias www.example.me
        UseCanonicalName Off

        ProxyPreserveHost On
        ProxyRequests On
        ProxyVia On

        #ErrorLog /var/log/httpd/tomcat.error.log
        #CustomLog /var/log/httpd/tomcat.log combined

       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>
        Include /etc/apache2/sites-available/redirect.conf

        ProxyPass / ajp://localhost:8009/
        ProxyPassReverse / ajp://localhost:8009/
</VirtualHost>

<VirtualHost *:80>
        ServerAdmin webmaster@mexample.me
        ServerName example.me
        DocumentRoot /var/www/html
        UseCanonicalName Off
        Redirect permanent "/" "https://example.me/"

        ProxyPreserveHost On
        ProxyRequests On
        ProxyVia On

        #ErrorLog /var/log/httpd/tomcat.error.log
        #CustomLog /var/log/httpd/tomcat.log combined

       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>
        Include /etc/apache2/sites-available/redirect.conf

        ProxyPass / ajp://localhost:8009/
        ProxyPassReverse / ajp://localhost:8009/

        #ProxyPass / http://localhost:8080/
        #ProxyPassReverse / http://localhost:8080/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
c.mtd17
  • 1
  • 1

1 Answers1

0

First, please note that permanent redirects are cached by your web browser, so if you made a change and are testing a modified configuration, take pre-cautions and/or adjust your test methodology. More about that here.

IMHO your configuration is also riddled with errors and incorrect assumptions.

DO NOT ENABLE / ALLOW proxy requests!!!

    ProxyPreserveHost On
    ProxyRequests On
    ProxyVia On
   <Proxy *>
           Order deny,allow
           Allow from all
   </Proxy>

The directives above are to create a forward proxy. Even worse, it is open proxy, that can and will be abused by anybody wants to hide their IP-address using your web server.

You do not need ProxyRequests On for a reverse proxy and the ProxyPass directives to work.

Please remove those.

In your HTTP VirtualHost

When you only have one VirtualHost it becomes the default VirtualHost (for that port and address). A longer description here. So unless you have additional VirtualHost blocks defined, this single entry:

<VirtualHost *:80>
        ServerAdmin webmaster@mexample.me
        ServerName example.me

will be used for all plain http requests, i.e. both http://example.me/some-page.htm?foo=bar , http://www.example.me , http://your.ip-address/ etc. That VirtualHost will be used even when there is no explicit ServerAlias www.example.com designating www.example.com as an alternate host name for that particular VirtualHost.

 Redirect permanent "/" "https://example.me/"

Instructs that all requests will result in a redirect response to https://example.me/ in other words:

 http://example.me/some-page.htm?foo=bar  ==>  https://example.me/some-page.htm?foo=bar
 http://www.example.me                    ==>  https://example.me/
 http://your.ip-address/bob/is.awe-some   ==>  https://example.me/bob/is.awe-some

When you redirect everything away it also makes no sense to then have any other directives normally intended to display content in that VirtualHost, so you can omit the DocumentRoot, ProxyPass etc and keep a very minimal plain http VirtualHost:

<VirtualHost *:80>
        ServerAdmin webmaster@mexample.me
        ServerName example.me
        UseCanonicalName Off

        Redirect permanent "/" "https://example.me/"

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

In your HTTPS VirtualHost the same holds true: if there are no other VirtualHosts it will be the default used for any request.

The only thing is of course the server TLS certificate; that is only valid for the hostnames included in there, other hostnames will result in an invalid certificate error/warning.

You probably will need to check the contents of the file you include here:

Include /etc/apache2/sites-available/redirect.conf
Bob
  • 5,335
  • 5
  • 24
  • Thank you Bob for such a detailed explanation. They are actually using proxy for tomcat and some other app... I "inherited" this server from someone else and I'm trying to see what is a good practice and how to configure it and why is invalid certificate warning present with www.example.me. Do you maybe see it in this configuration? Should I add another virtualhost for www and link certificate there? Redirect.conf contains some two thousand rules for redirection of data from old to the new website... – c.mtd17 Mar 02 '22 at 11:03
  • You do not need to have a forward proxy enabled when using a reverse proxy or ajp – Bob Mar 02 '22 at 11:05