Mailing List Archive

[Bug 64847] New: Incomplete SSL virtual host config seems to work but tells php it is not using SSL
https://bz.apache.org/bugzilla/show_bug.cgi?id=64847

Bug ID: 64847
Summary: Incomplete SSL virtual host config seems to work but
tells php it is not using SSL
Product: Apache httpd-2
Version: 2.4.38
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: bugs@davidsoncj.id.au
Target Milestone: ---

Created attachment 37531
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37531&action=edit
my default ssl virtualhost config stripped of comments

This is a home/testbed system, not exposed on the internet.

The installation is Debian 10 (current stable release), using Debian's
configuration methods.
PHP is version 7.3.19-1~deb10u1, server API reports "Apache 2 handler"

I use my own certificates and the browsers trust the CA.

The virtual hosts are all cnames in local DNS and appear as subjectAltNames on
the one certificate that Apache loads.

For some years it has seemed to work with the following configuration:
The main SSL config is created under Debian's system with
<VirtualHost _default_:443>
where I replaced the snakeoil certificate and key with my own, but otherwise
left alone (see attached)

Works fine for the main site.

Other virtual hosts were defined along the lines of
<VirtualHost *:80>
ServerName vhost1.home.domain
ServerAlias some extra names
DocumentRoot "/var/www/virtuals/vhost1"
</VirtualHost>

<VirtualHost *:443>
ServerName vhost1.home.domain
ServerAlias same extra names
DocumentRoot "/var/www/virtuals/vhost1"
</VirtualHost>

This has seemed to work for several years - it speaks plain http on port 80 and
SSL/TLS on port 443 delivering whatever the vhost is supposed to supply.

The problem became apparent when I installed wordpress, both with the Debian
package and then with the latest download. As soon as I enable https for the
wordpress virtual host it goes into an infinite redirect loop, sending https
requests to the same url.
The reason is that wordpress tests in php for the presence/value of
$_SERVER['HTTPS'], and if that fails then it tests if $_SERVER['SERVER_PORT']
is 443.
That should have worked, but in this case, Apache2 reports to php that the
entire request was done using SERVER_PORT= 80 and REQUEST_SCHEME = "http".
Which is just wrong, all traffic was port 443, as confirmed both by wireshark
and by firefox developer tools.
To confirm these parameter values, I accessed phpinfo.php under each host.

The minimal fix is to add a few extra lines to the virtualhost declaration:
SSLEngine on
SSLCertificateFile /etc/ssl/certs/my-cert.crt
SSLCertificateKeyFile /etc/ssl/private/my-cert.key

If I just add "SSLEngine on" by itself then it complains about missing
certificates
It seems I have misinterpreted the purpose of the _default_:443 - it looked to
me like ssl parameters missing from the virtualhost 443 declarations were taken
from _default_ declarations.

And there is no proxy anywhere that I am aware of, which is reported elsewhere
as a cause of these wordpress symptoms.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org