-1

Problem

Apache isn't reporting HTTPS in the $_SERVER variable of PHP. Certificate is correctly configured according to sslcheck.nl and the website redirects every HTTP request to the HTTPS equivalent.

$_SERVER variable:

  • HTTPS key does not exist
  • SERVER_PORT is 80 instead of 443
  • HTTP_X_FORWARDED_PROTO is not set
  • REQUEST_SCHEME is http instead of https

Without these values, Symfony framework and Wordpress cannot determine if the website is running on a secure connection.

Configuration

I'm running a Bitnami LAMP stack. As far as I can tell, the server does not run a reverse proxy. The website does have mod_pagespeed configured, but I do not think that this is configured as a reverse proxy. I tried disabling mod_pagespeed for a test vhost, but Apache keeps reporting http.

What else could be the reason for Apache incorrectly reporting HTTP/HTTPS?

Update

Output from netstat -plnt

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      65034/master
tcp        0      0 127.0.0.1:2812          0.0.0.0:*               LISTEN      2295/monit
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1801/mysqld.bin
tcp        0      0 127.0.0.1:12301         0.0.0.0:*               LISTEN      48346/opendkim
tcp        0      0 127.0.0.1:21            0.0.0.0:*               LISTEN      731/vsftpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1889/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      65034/master
tcp6       0      0 :::443                  :::*                    LISTEN      25401/httpd
tcp6       0      0 :::80                   :::*                    LISTEN      25401/httpd
tcp6       0      0 :::22                   :::*                    LISTEN      1889/sshd

Vhost configuration:

<VirtualHost *:80>
  ServerName mydomain.com

  DocumentRoot "/opt/bitnami/apps/mydomain/htdocs/web"

  RewriteEngine On

  #redirect non-www to https://www.
  RewriteCond %{HTTP_HOST} !^www\. [NC]
  RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  #redirect http://www. to https://www.
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

  CustomLog /opt/bitnami/apache2/logs/mydomain-http.log combined

  Include "/opt/bitnami/apps/mydomain/conf/httpd-app.conf"
</VirtualHost>

<VirtualHost *:443>
  ServerName mydomain.com

  DocumentRoot "/opt/bitnami/apps/mydomain/htdocs/web"

  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^www\. [NC]
  RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  CustomLog /opt/bitnami/apache2/logs/mydomain-https.log combined

  SetEnv HTTPS on #Added this to force https environment variable

  Include "/opt/bitnami/apps/mydomain/conf/httpd-app.conf"
</VirtualHost>
Waaghals
  • 69
  • 1
  • 6
  • @HBruijn Varnish is disabled by default (did not enable it either). – Waaghals Oct 16 '15 at 13:19
  • As there seems to be some degree of uncertainty, can you verify that it's actually Apache httpd that is bound to 443/tcp? (`netstat -plnt` or similar) – Håkan Lindqvist Oct 19 '15 at 05:42
  • @HåkanLindqvist Looks like it is only the case for tcp6 and not regular tcp. But no other process is using port 443/80 on regular tcp. – Waaghals Oct 19 '15 at 05:46
  • Further to @HåkanLindqvist's comment, can you post the contents of the `netstat` command, along with your relevant Apache configs? – GregL Oct 23 '15 at 13:38
  • It might help a lot if you post your httpd config where your 80 and 443 listeners are at. – Eirik Toft Oct 24 '15 at 17:58

1 Answers1

3

It looks to me, like you are in fact accessing apache via HTTP not HTTPS (which is what it's telling you).

If you check your apache config file, you should have 2 sites, one for :80 (HTTP) and one for :443 (HTTPS). The former should redirect traffic to the later. If you ensure the site with the VIRTUALHOST ending in :80 (which is what I think you're actually using) has a different log file to the one ending :443 (which is the HTTPS host you think you're using), then you'll be able to watch the log files, to be sure, which site you're looking at.

It's possible that something is tunneling the unwrappered HTTP conversation to apache, having managed the SSL part, but having looked at bitnampi docs, they don't do that, so you'd have to have setup something like stunnel yourself. As Hakan Lindqvist said, if netstat -lpn shows only apache listening on :443 and :80, then the truth must be in the apache config file. Like I mentioned above, I suggest configuring the logs to be sure, but generally, if it looks like a duck, quacks like a duck, and enjoys spending time in ponds, swimming in the rain, first work on the assumption, it's a duck as it's unlikely to be a cat.

You may find this helpful: https://wiki.bitnami.com/Components/Apache#How_to_enable_HTTPS_support_with_SSL_certificates

It's worth noting, this is an example HTTPS site configuration (from the above link) <VirtualHost *:443> SSLEngine on DocumentRoot "/opt/bitnami/apps/sugarcrm/htdocs" ServerName my-sugarcrm.example.com SSLCertificateFile "/opt/bitnami/apache2/conf/my-sugarcrm.crt" SSLCertificateKeyFile "/opt/bitnami/apache2/conf/my-sugarcrm.key" </VIrtualHost>

sibaz
  • 351
  • 2
  • 6
  • I've updated the vhosts to have different logs per vhost. But the request do seem to be coming in at the https vhost (based on the access log output) – Waaghals Oct 26 '15 at 09:08
  • Your apache *:443 config, above, looks to be missing any of the settings, which turn on HTTPS, hence unless you have settings in different file, overriding it, you're listening on :443, but is still a HTTP site. I've added the example *:443 config file, from the above link. It's normal to have an SSLEngine ON directive, and SSLCertificate* directives in the vhost, serving HTTPS – sibaz Oct 26 '15 at 09:32
  • Thanks! that was the problem, I was using a wildcard certificate and the certificate was configured in httpd.conf. This made https to work, but the vhost didn't know about the usage of https. It seems I have to add this to the vhost explicitly (which kinda makes sense). I added the SSL* directives to the vhost, and now it is working. – Waaghals Oct 26 '15 at 09:56
  • This was my problem too. Although my certificates were set in the default Apache configuration file, simply having the port at 443 was not enough: I had to the certificate and the key file to my `VirtualHost`. I also had to include `SSLEngine on`, as stated. – Vadim Aug 10 '16 at 14:28