Home / server / Questions / 836861
Accepted
chris85
Asked: 2017-03-08 12:13:20 +0800 CST

Servername Secure Connection - Loose Match

  • 772

We've updated our Apache deployment configuration to allow for non-www requests to our server (https://example.com). For https connections we needed this because the name didn't match the cert. This was good, recently though we noticed our local deployments secure environments (https://chris.example.com) are also pointing to this new deployment. We commented out the new deployment to confirm this was the change the caused it and it was. We presumed this was from the servername setting we had set. Here's our initial settings:

NameVirtualHost example.com:443
<VirtualHost example.com:443>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html/www.example.com
    ServerName example.com
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLProtocol all
    SSLCertificateFile /usr/local/ssl/crt/example2017.cert
    SSLCertificateKeyFile /usr/local/ssl/private/ssl2017.key
    SSLCACertificateFile /usr/local/ssl/crt/example2017intermediate.pem
    DirectoryIndex index.html
    DirectoryIndex index.php
    LogLevel notice
    ErrorLog /var/log/httpd/www.example.com/error.log
    LogFormat "%{%Y-%m-%d %H:%M:%S}t %a %u %A %p %m %U %q %>s \"%{User-agent}i\"" w3c_extended
    CustomLog /var/log/httpd/www.example.com/access.log w3c_extended
</VirtualHost>

After the commenting out worked we assumed it was the ServerName being a loose match and we read the following on the Apache site:

Sometimes, the server runs behind a device that processes SSL, such as a reverse proxy, load balancer or SSL offload appliance. When this is the case, specify the https:// scheme and the port number to which the clients connect in the ServerName directive to make sure that the server generates the correct self-referential URLs.

-http://httpd.apache.org/docs/2.2/mod/core.html#servername

So we updated the servername the entry to:

ServerName https://example.com:443

this allowed the main page (https://example.com) to still load and redirect but the development environments (https://chris.example.com) were again being loaded from it. I was originally considering trying an explicit starting rule:

ServerName ^example.com

but I can't find anywhere saying the servername accepts regex. Is there a way to do this, or am I own the wrong path and the issue is elsewhere?

Here's the httpd -S output:

VirtualHost configuration:
192.168.0.0:443     is a NameVirtualHost
         default server example.com (/etc/httpd/conf/httpd.conf:1065)
         port 443 namevhost example.com (/etc/httpd/conf/httpd.conf:1065)
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server *.example.com (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost *.example.com (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1046)
         port 443 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1096)
         port 443 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1129)
         port 443 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1159)
         port 443 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1189)
         port 443 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1219)
         port 443 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1249)
         port 443 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1300)
         port 443 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1316)
*:80                   is a NameVirtualHost
         default server www.example.com (/etc/httpd/conf/httpd.conf:1034)
         port 80 namevhost www.example.com (/etc/httpd/conf/httpd.conf:1034)
         port 80 namevhost dfw.example.com (/etc/httpd/conf/httpd.conf:1084)
         port 80 namevhost chris.example.com (/etc/httpd/conf/httpd.conf:1114)
         port 80 namevhost dan.example.com (/etc/httpd/conf/httpd.conf:1147)
         port 80 namevhost rich.example.com (/etc/httpd/conf/httpd.conf:1177)
         port 80 namevhost rich2.example.com (/etc/httpd/conf/httpd.conf:1207)
         port 80 namevhost danny12.example.com (/etc/httpd/conf/httpd.conf:1237)
         port 80 namevhost nick.example.com (/etc/httpd/conf/httpd.conf:1267)
         port 80 namevhost origin_server.example.com (/etc/httpd/conf/httpd.conf:1279)
         port 80 namevhost cdn.example.com (/etc/httpd/conf/httpd.conf:1290)
Syntax OK

The new deployment started at line 1064 and ended at 1081.

apache-2.2 https httpd.conf hostname centos6

1 Answers

  1. Best Answer

    After more thorough investigation in chat it appears that there were two NameBasedVirtualHost statements, one for *:443 and another one for example.com:443 with the former having all subdomains VirtualHost declarations and the latter having only one for example.com itself.

    Making it uniform with one NameBasedVirtualHost *:443 declaration and all subdomains and main domain referring to it fixed the problem.

    • 2