Forum
Cannot access page over SSL
Fred
11 November 2016, 14:59
Hi Hugo,
I just set a new VPS and for some strange reason, I simply cannot load any page when SSL is on (RequireTLS)
I have nothing in the log that can help and nothing on the screen that can help..
Could you please sugest me anything on how to debug this issue?
I use hiawatha reverse proxy on server A and a webserver on server B
Server A
Server B
cgi-wrapper.conf
When I remove the RequireTLS option then everything load as expected..
I'm really lost here
Thank you
I just set a new VPS and for some strange reason, I simply cannot load any page when SSL is on (RequireTLS)
I have nothing in the log that can help and nothing on the screen that can help..
Could you please sugest me anything on how to debug this issue?
I use hiawatha reverse proxy on server A and a webserver on server B
Server A
VirtualHost {
Hostname = subdomain.mydomaincom, www.subdomain.mydomaincom
WebsiteRoot = /var/www/empty
StartFile = index.php
RequireTLS = yes,31536000
TLScertFile = /usr/local/etc/hiawatha/tls/mydomain.key
TimeForCGI = 60
RandomHeader = 512
ReverseProxy .* https://10.30.20.12:443 30 keep-alive
ReverseProxy .* http://10.30.20.12:80 30 keep-alive
AccessLogfile = /var/log/hiawatha/access.mysubdomain.log
ErrorLogfile = /var/log/hiawatha/error.mysubdomain.log
}
Server B
VirtualHost {
Hostname = subdomain.mydomaincom, www.subdomain.mydomaincom
WebsiteRoot = /usr/local/www/production/httpdocs
StartFile = index.php
#UseLocalConfig = yes # Tell Hiawatha to use or ignore .hiawatha files
CustomHeader = X-Frame-Options: sameorigin
CustomHeader = Vary: Accept-Encoding
RequireTLS = yes,31536000 # Force TLS connection
RandomHeader = 512 # Anti decryption on https listening
TLScertFile = /usr/local/www/production/tls/mydomain.key
AccessLogfile = /usr/local/www/production/logs/access.mysubdomain.log
ErrorLogfile = /usr/local/www/production/logs/error.mysubdomain.log
TimeForCGI = 90
UseFastCGI = PHP7-FPM
ExecuteCGI = yes # Allow execution of CGI programs.
# Default = no
UseToolkit = wordpress
################ Security Settings Variables #######################
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$ # If the request body matches the case insensitive regular expression, return a 403 Forbidden
PreventSQLi = yes # Prevent SQL-injection by detecting injections and denying the request via a 403, 404 or 441 response.
# NOT 100% guarantee, resource intensive!
PreventXSS = yes # Prevent cross-site scripting via the URL by replacing a less-then, greater-then, quote or double-quote in the URL with an underscore.
# Default = no
WrapCGI = jail_mydomain
}
cgi-wrapper.conf
Wrap = jail_mydomain; /usr/local/www/production/httpdocs; www:www
When I remove the RequireTLS option then everything load as expected..
I'm really lost here
Thank you
Fred
12 November 2016, 00:39
Hi Hugo,
Do you think my problem could be link this this old bug?
https://www.hiawatha-webserver.org/forum/topic/1727/#9091
Do you think my problem could be link this this old bug?
https://www.hiawatha-webserver.org/forum/topic/1727/#9091
Hugo Leisink
12 November 2016, 11:51
Is your SSL/TLS binding configured properly? Do you have an URL for so I can see it for myself?
Fred
12 November 2016, 12:55
Proxy binding.cong
Webserver binding.conf
I'll email you the URL as the forum is public
Binding {
Port = 80
Interface = MyIPv4
MaxKeepAlive = 100
TimeForRequest = 5,15
MaxRequestSize = 2000
MaxUploadSize = 2
}
Binding {
Port = 443
Interface = MyIPv4
MaxKeepAlive = 100
TimeForRequest = 5,15
#TLScertFile =
MaxRequestSize = 2000
MaxUploadSize = 2
}
Webserver binding.conf
Binding {
Port = 80
Interface = MyIPv4
MaxKeepAlive = 100
TimeForRequest = 5,15
MaxRequestSize = 2000
MaxUploadSize = 2
}
Binding {
Port = 443
#Interface = MyIPv4
MaxKeepAlive = 100
TimeForRequest = 5,15
TLScertFile = /usr/local/www/production/mainwp/tls/trinitech.uk.key
MaxRequestSize = 2000
MaxUploadSize = 2
}
I'll email you the URL as the forum is public
Hugo Leisink
12 November 2016, 12:57
In binding.conf, there is a binding for port 443 which does not speak SSL/TLS. For a SSL/TLS binding, the TLScertFile option is mandatory. That option is how Hiawatha knows whether it's a plain text or encrypted binding.
Fred
12 November 2016, 23:33
Hi Hugo,
I added the TLScertFile option and a self sign certificate and its working great now
Thank you for your time
ps: For future reader, letsencrypt cannot be use to generate the certificate on the proxy.. Either use self sign or use another issuer
I added the TLScertFile option and a self sign certificate and its working great now
Thank you for your time
ps: For future reader, letsencrypt cannot be use to generate the certificate on the proxy.. Either use self sign or use another issuer
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
