Develop Reference

Configure IBM HTTP Server as reverse proxy with SSL for the proxy only

(This SO thread seems to be very similar, but does not answer my problem)
I have a loadbalancer listening on https://loadbalancerurl:443/
which terminates SSL and forwards requests to the IHS (IBM HTTP Server) on port 80.
I need to configure the IHS as a reverse proxy, such that requests get forwarded to https://targeturl:443/
browser --443--> loadbalancer --80--> IHS --443--> target
The reason we need to do this on the IHS, is because on that server we have direct and quick access to change the target url on demand, whereas the loadbalancer is out of our control.
This means, that i need to activate SSL in the IHS, but only for the outgoing requests to the targeturl, but not for the incoming requests.
Pages like
this from IBM
or this blog post
assume that SSL is incoming and outgoing.
Here is the relevant code block of the httpd.conf file:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
SSLProxyEngine on
<VirtualHost *:80>
# ServerName webserverhostname # not needed so far
SSLEnable # without this i get "SSL0263W: SSL Connection attempted when SSL did not initialize."
KeyFile store.kdb # without this i get "SSL0170E: GSK could not initialize, no keyfile specified."
SSLStashFile store.sth
ProxyPass / https://targeturl/
ProxyPassReverse / https://targeturl/
</VirtualHost>
SSLDisable
where the store.kdb contains the CA certificates of the targeturl, as indicated in the SO thread
However, the server continuously spits out the following error message:
SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file, or the specified label is not a 'personal certificate' (no private key). Label='(null)'
As far as i understand, this means that IHS is failing to handle incoming https traffic, which should not happen. It should not happen because the <VirtualHost *:80> specifies port 80, and also because any traffic that reaches the IHS has the SSL terminated by the loadbalancer.
Am i misunderstanding the error message? If not, how can i get this working?
edit to show working solution:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
SSLProxyEngine on
<VirtualHost *:80>
# ServerName webserverhostname # not needed so far
# SSLEnable # this would activate SSL for incoming traffic
KeyFile store.kdb # this contains the CA certificates of the target server
# SSLStashFile store.sth # would only be needed for incoming SSL
ProxyPass / https://targeturl/
ProxyPassReverse / https://targeturl/
</VirtualHost>
# SSLDisable

SSLEnable should not be present in a virtual host that doesn't actually handle inbound SSL.
SSLStashFile is also not needed. It is unfortunately named.
You should deep dive on the error_log entries you get in the config without these two. There is likely an early SSL error that does not fail startup. The only necessary config even without frontend SSL is just:
SSLProxyEngine on
ProxyPass / https://example.com/
KeyFile /path/to/key.kdb

What causes Dokan Stripe Connection HTTP error 500?

I was working on a WordPress site that uses Dokan Multi-vendor Plugin to utilise its e-commerce functions. It also uses Stripe Connect as a payment gateway so each seller gets a commission from each sale. For each seller to receive payment, each seller account has to connect to their own Stripe account (as illustrated here: https://wedevs.com/docs/dokan/modules/how-to-install-and-configure-dokan-stripe-connect/)
This function has been around for a while on the site and had been working perfectly fine. However, this afternoon when I clicked "Connect to Stripe" blue button (as shown in the link above), I get an "HTTP error 500" from Chrome. Now all of the users cannot connect to Stripe Connect.
I figured this might have something to do with SSL, but I did not change any of the Cert or Key, or their configuration.
I am running Apache server with Ubuntu 16.04
Here is the conf file:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/mywebsite.crt
SSLCertificateKeyFile /etc/ssl/private/blablabla.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerName mywebsitel.com
ServerAlias www.mywebsite.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/mywebsite.com/public_html
LogLevel info ssl:warn
ErrorLog /var/www/html/mywebsite.com/logs/error.log
CustomLog /var/www/html/mywebsite.com/logs/access.log combined
Error log showed two errors:
[Mon Oct 15 17:27:35.146054 2018] [ssl:error] [pid 22095] [client 2600:c02:1020:4202::ac10:826a:52934] AH02042: rejecting client initiated renegotiation
[Mon Oct 15 17:29:33.168787 2018] [ssl:error] [pid 21905] [client 64.41.200.106:48000] AH02042: rejecting client initiated renegotiation
Anyone had any idea? This is a critical component to the site and this problem just suddenly occurred!

Tor Hidden Service in Plesk

at first sorry for my bad english.
I am using Plesk 12 on my Ubuntu 14.04 Server. In the past i made Tor hidden services for my Domains simply whit the Apache virtual Host Files. And it Works fine.
But now i am using Plesk and now i dont understand hor to make a Exsiting Site reachable over a Hidden Service.
The Site www.example.com is available an the Host settings are :
<VirtualHost 85.214.50.74:7080 >
ServerName "example.com:80"
ServerAlias "www.example.com"
ServerAlias "ipv4.example.com"
ServerAdmin "admin#example.com"
.....
Now i added a second Virtual host :
<VirtualHost 85.214.50.74:8081 >
ServerName "xxxxxxxxxxxxxxxx.onion:80"
ServerAlias "xxxxxxxxxxxxxxxx.onion"
ServerAdmin "admin#xxxxxxxxxxxxxxxx.onion"
......
In the Torrc the Hidden service ist Corret and it generated a kex and a hostname. But if i reload Apache and Nginx and restart Tor, i cant reach the Hidden service.

You shouldn't add the onion site as a virtual host. Apache doesn't serve the requests to the .onion site directly.
Instead, edit your torrc file and add something like:
HiddenServiceDir /var/lib/tor/example.com
HiddenServicePort 8081 127.0.0.1:80
This runs a hidden service on port 8081 that proxies to port 80 on the local host. When you first start Tor it will generate all the keys and the onion address for your site which you can find in /var/lib/tor/example.com/hostname
If you have multiple virtual hosts, you might need to change the HiddenServicePort to use the hostname (or serveralias), but make sure it resolves locally so you're proxying to the local machine.

Is it possible to install rApache on tomcat 6.0?

I've followed all over the instruction provided in the below website.
rApache.net.
mod_R.so is installed and I've configured below things in the sites-enabled folder.
#rApacheInfo
<Location /RApacheInfo>
SetHandler r-info
</Location>
#brew function
<Directory /var/www/brew>
SetHandler r-script
RHandler sys.source
</Directory>
<Directory /var/www/brew>
SetHandler r-script
RHandler brew::brew
DefaultType html
</Directory>
But if i go to localhost:8080/RApacheInfo I get the error HTTP Status 404 - /RApacheInfo.
localhost:8080 gives me apache tomcat welcome note.
As I checked the differed between apache and tomcat from this post. Now I have a doubt whether we'll be able to install it or not.
Please help.

Errr no. Apache tomcat is a server which acts as a container for Java-based 'servlets'. Apache http server is a general server for http requests. What you have listening on port 8080 must be tomcat since you get the tomcat error page.
rApache is specifically a handler for the apache http server. Normally apache http server just sends back a file when a request for /foo.html comes in, but it can be configured to run a program via a handler, which is what rApache is.
You can run apache http server AND tomcat on the same machine, they just have to be listening on different ports. If you try and run them on the same port the second one won't start.
By default apache http server listens on port 80, so if you are running it as root then going to http://localhost/ will get a response if it is running.

Web sites associated with the same IP address

How does a web server recognize which URL to serve when there are multiple web sites (hostnames) associated with the same IP address?

With the Apache web server, a set of virtualhosts is defined that contain parameters to match a request to a directory. Using a basic, default set up for an Ubuntu web server, you would have a file in the /etc/apache2/sites-enabled directory like this:
<VirtualHost>
ServerName example.com
DocumentRoot /var/www/example.com/httpdocs
</VirtualHost>
This tells apache that all requests to example.com that arrive at this machine should be routed to the /var/www/example.com/httpdocs folder. Another entry to example.org could point it to a different folder.
Also relevant is the /etc/hosts file and the apache a2ensite command.

This is done in apache by using NameVirtualHost
You first declare what IP and port in httpd.conf to use like:
NameVirtualHost 127.0.0.1:80
Then in your virtual host block, you do:
<VirtualHost 127.0.0.1:80>
ServerName your_domain
DocumentRoot path_to_your_app
....
</VirtualHost>
This will allow you to have multiple hosts on one IP. But be warned that if you access the IP directly, it will direct the request to the first virtual host.

Through the use of virtual hosts.
This is an example configuration from nginx
http {
index index.html;
server {
server_name www.domain1.com;
access_log logs/domain1.access.log main;
root /var/www/domain1.com/htdocs;
}
server {
server_name www.domain2.com;
access_log logs/domain2.access.log main;
root /var/www/domain2.com/htdocs;
}
}
Essentially, when a user requests a resource the server checks the host field of the request and responds accordingly.

HTTP 1.1 defines a header called the "Host" header.
Before Apache or any other server sees the request, the client browser creates the http 1.1 request headers and sends the request to the server you are asking for your browser to contact.
Once the request hits apache the server looks at the Host header portion of the HTTP request headers. You can observe this by using wireshark, liveHttpHeaders, HTTPfox or whatever http dissecting/packet capturing tool you like. The host header in HTTP 1.1 (Host: header is not defined for HTTP 1.0 or 0.9) is formatted as follows:
Host: www.example.com\r\n
When apache looks at this header it parses it and goes through the existing VirtualHosts table that is used for mapping matching host headers to directories or actions defined.
That is to say if you had a NameVirtualHost for www.example.com that points to /some/path/example.com/
NameVirtualhost stuff here
<VirtualHost 127.0.0.1:80>
ServerName www.example.com
DocumentRoot /some/path/example.com
....
</VirtualHost>
your apache would take the following request:
GET /index.html HTTP/1.1\r\n <-- version is a key part
Connection: close\r\n
Host: www.example.com\r\n <-- key part
Accept: blah\r\n
Another: blah\r\n
read the wiki page for more on header format.
Apache would see that the host header contains www.example.com and serve up the file
/some/path/example.com/index.html because that directory and filename matches the requested resource and it is the directory that is to be used for serving requests with the host header containing www.example.com.
That is how it works.

Depends on the type of server. Apache uses a .htaccess file and you could also configure virtual hosts. If you're trying to do something specific, you may want to edit your question to include exactly what you're looking for and what software you're using to host.