Hi I'm hardening a WordPress site that uses Apache for the web server. I want to block access from servername.admin.company.com. I tried editing HTACCESS per another answer I saw here, but the site started 500'ing from https://domainname.com. There are a ton of security issues, and we decided the best way to handle it is to just block access completely since no one really needs to access it that way.
Here's my vhosts file:
' <Directory "/var/www/directory">
AllowOverride All
Options -Indexes +FollowSymLinks
Require all granted
Require not host servername.admin.company.com
</Directory>
DirectoryIndex index.php index.html
<VirtualHost *:80>
ServerName site.com
ServerAlias www.site.com
DocumentRoot "/var/www/directory"
# Enable HSTS (tell browsers to use only HTTP)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
<Directory "/var/www/html">
AllowOverride All
Options -Indexes +FollowSymLinks
Require all granted
</Directory>
RewriteEngine on
RewriteRule "^(.*/)?\.git/" - [F,L]
RedirectMatch 404 /\.git
</VirtualHost>
<VirtualHost *:80>
ServerName business.site.com
ServerAlias subdomain.site.com
ServerAlias www.business.site.com
DocumentRoot "/var/www/directory"
# Enable HSTS (tell browsers to use only HTTP)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
<Directory "/var/www/site">
AllowOverride All
Options -Indexes +FollowSymLinks
Require all granted
</Directory>
RewriteEngine on
RewriteRule "^(.*/)?\.git/" - [F,L]
RedirectMatch 404 /\.git
CustomLog /var/log/httpd/site-requests.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName business.site.com
ServerAlias directory.site.com
ServerAlias www.subfolder.site.com
DocumentRoot "/var/www/sitefolder"
# Enable HSTS (tell browsers to use only HTTP)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
<Directory "/var/www/sitefolder">
AllowOverride All
Options -Indexes +FollowSymLinks
Require all granted
</Directory>
RewriteEngine on
RewriteRule "^(.*/)?\.git/" - [F,L]
RedirectMatch 404 /\.git
CustomLog /var/log/httpd/sitefolder-requests.log combined
ErrorLog /var/log/httpd/sitefolder-error.log
</VirtualHost>
'
You can achieve this in various ways, iptables, .htaccess, etc.
Please visit this URL, what you need to do is well documented there:
https://httpd.apache.org/docs/2.4/en/howto/access.html
I hope it helps you.
Related
I have installed wamp64. configured various vhosts which work well except for one address which the system forces to go to HTTPS instead of HTTP like the rest of them. dev.test.com is forced to go to HTTPS://dev.test.com instead of HTTP://dev.test.com and of course the file is not found.
dev.test2.com goes to HTTP,
example goes to HTTP
I had a XAMPP install that had a vhosts file which had a redirect for dev.test.com to HTTPS. Thinking this might somehow interfere, I renamed that XAMPP vhost file, but I still get the same problem even after a computer reboot.
In wamp64 I am able to create any other vhost and have it work fine, but not this one. What could be causing this?
wamp64, version 3.2.9, php 7.4, apache 2.4.51
WAMP VHOST FILE:
<VirtualHost *:80>
ServerName example
DocumentRoot "c:/wamp64/www/example"
<Directory "c:/wamp64/www/example/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require local
</Directory>
</VirtualHost>
#
<VirtualHost *:80>
ServerName dev.test.com
DocumentRoot "c:/wamp64/www/dev.test.com"
<Directory "c:/wamp64/www/dev.test.com/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require local
</Directory>
</VirtualHost>
#
<VirtualHost *:80>
ServerName dev.test2.com
DocumentRoot "c:/wamp64/www/dev.test2.com"
<Directory "c:/wamp64/www/dev.test2.com/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require local
</Directory>
</VirtualHost>
#
My previous XAMPP VHOST FILE - NOW RENAMED TO DISABLE IT (httpd-vhosts_old.conf)
<VirtualHost dev.test.com:80>
ServerName dev.test.com
DocumentRoot "C:\xampp\htdocs\dev.test.com"
<Directory "C:\xampp\htdocs\dev.test.com">
Options All
AllowOverride All
Require all granted
</Directory>
ErrorLog "logs/dev.test.com-error.log"
CustomLog "dev.test.com-access.log" combined
#redirect non SSL URI to SSL URI
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.dev.test.com [OR]
RewriteCond %{SERVER_NAME} =dev.test.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
I ended up configuring a local SSL certificate for the server and converted all local hostnames to access SSL which worked fine. I know this does not answer the posted question, but at least allowed me to proceed.
I have to migrate an Apache configuration file to Nginx but as I have no experience in Nginx I would like some help.
This is my apache setup:
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
<Directory /var/www/ff>
AllowOverride All
Options -Indexes
</Directory>
DocumentRoot /var/www
RedirectMatch ^/$ /ff/
Alias "/uploads" "/var/www/ff/uploads/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I’m a little lost as using the parameter RedirectMatch in nginx, I guess it has another name
help me create a configuration file for nginx?
Regards,
Is it possible to provide the Apache R-mod via TLS directly? Without the need to set up a reverse proxy?
I'm trying to set up an OpenCPU instance without the typical reverse proxy configuration. It should be accessible via HTTPS and HTTPS only.
Whenever I try to enable the TLS/SSL engine, Apache ignores that and on port 443 I'll get a header missmatch as HTTP is delivered over port 443.
<IfModule mod_ssl.c>
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
<IfModule mod_R.c>
RSourceOnStartup "/usr/lib/opencpu/rapache/onstartup.R"
<Location /ocpu>
SSLEngine on
SSLUseStapling on
SSLCertificateFile /etc/ssl/xxx.pem
SSLCertificateKeyFile /etc/ssl/private/xxx.key
SSLCertificateChainFile /etc/ssl/certs/chain.pem
SetHandler r-handler
RHandler opencpu:::rapachehandler
SetOutputFilter DEFLATE
SetInputFilter DEFLATE
</Location>
Alias /favicon.ico /usr/lib/opencpu/rapache/favicon.ico
Alias /robots.txt /usr/lib/opencpu/rapache/robots.txt
# Increase prefork defaults
<IfVersion >= 2.4>
#StartServers 10
MaxConnectionsPerChild 200
<Directory /usr/lib/opencpu/rapache>
Require all granted
</Directory>
</IfVersion>
</IfModule>
It seems that the Location /ocpu is valid for both VirtualHosts, the one for HTTP and HTTPS.
So it suffices to redirect HTTP to HTTPS in 000-default.conf and to correctly set up TLS in the default-ssl.conf.
<VirtualHost *:80>
ServerName xxx
ServerAdmin xxx
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect / https://xxx/
</VirtualHost>
And
# cat default-ssl.conf
<IfModule mod_ssl.c>
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
LogLevel Debug
<VirtualHost *:443>
ServerName xxx
ServerAdmin xxx
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLUseStapling on
SSLCertificateFile /etc/ssl/certs/xxx.pem
SSLCertificateKeyFile /etc/ssl/private/xxx.key
SSLCertificateChainFile /etc/ssl/certs/xxx.pem
DocumentRoot /var/www/html
</VirtualHost>
</IfModule>
No need to change anything in the opencpu.conf.
I have a wordpress site running on wordpress.myorg.com. For authentication I have to redirect it my internal server running CAS server.
Internal Server does not have DNS name. So, I’m using local DNS with IP address in HOST file to redirect to CAS server. All the things working correctly such a way.
Now I wanted to add ProxyPass rules, so that the User only sees wordpress.myorg.com all the time.
After adding ProxyPass rules, when I hit wordpress.myorg.com/wp-login.php it returns page with 500 internal error rather then showing CAS login screen.
Here is the Virtual Host entry I have done in Apache web server for Wordpress Site
<VirtualHost *:80>
ServerAdmin your_email_address
ServerName wordpress.myorg.com
ServerAlias wordpress.myorg.com
DocumentRoot /var/www/html/wordpress
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html/wordpress>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
RewriteEngine On
Options +FollowSymLinks
RewriteCond %{HTTPS} !=on
RewriteRule ^/?CAS/(.*) https://wordpress.myorg.com/CAS/$1 [R,NE,L]
</VirtualHost>
<VirtualHost *:443>
ServerAdmin your_email_address
ServerName wordpress.myorg.com
ServerAlias wordpress.myorg.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/myorg.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/myorg.com.key
ProxyRequests On
ProxyVia On
ProxyPass /CAS/ ajp://cas.myorg.com:8009/CAS/
ProxyPassReverse /CAS/ ajp://cas.myorg.com:8009/CAS/
</VirtualHost>
Any help on this would be appreciable.
Thanks.
Got the issue. I forgot to enable SSLProxyEngine. Just enabled it and its working like a charm.
Edit for HTTPs portion.
<VirtualHost *:443>
ServerAdmin your_email_address
ServerName wordpress.myorg.com
ServerAlias wordpress.myorg.com
SSLEngine on
## Added these lines ##
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
## -- ##
SSLCertificateFile /etc/apache2/ssl/myorg.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/myorg.com.key
ProxyRequests On
ProxyVia On
ProxyPass /CAS/ ajp://cas.myorg.com:8009/CAS/
ProxyPassReverse /CAS/ ajp://cas.myorg.com:8009/CAS/
</VirtualHost>
I'm trying to setup my site to use www only, and non-www should be permanently redirected to www. This answer suggested using two virtual hosts, however it causes me to go into a redirect loop.
Here's the configuration for the site:
<VirtualHost *:80>
ServerName www.mydomain.com
DirectoryIndex index.html index.php
DocumentRoot /home/me/sites/mydomain.com/htdocs
# Log file locations
LogLevel warn
ErrorLog /home/me/sites/mydomain.com/logs/error.log
CustomLog /home/me/sites/mydomain.com/logs/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName mydomain.com
Redirect permanent / http://www.mydomain.com/
</VirtualHost>
When I visit the non-www version of the site it successfully redirects to the www version, however Chrome then tells me that there was a redirect loop.
At first I thought it could be .htaccess in my document root however after removing that file it still happens. It's just a simple Wordpress site.
Can anyone see something wrong with the config that would cause this to happen? If not, how can I narrow down the cause?
You don't need a separate VirtualHost entry for non-www and use ServerAlias instead. Also to redirect to www just use a rule like this:
<VirtualHost *:80>
ServerName www.mydomain.com
ServerAlias mydomain.com
DirectoryIndex index.html index.php
DocumentRoot /home/me/sites/mydomain.com/htdocs
# Log file locations
LogLevel warn
ErrorLog /home/me/sites/mydomain.com/logs/error.log
CustomLog /home/me/sites/mydomain.com/logs/access.log combined
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>