Re: [vhffs] support HTTPS

[ Thread Index | Date Index | More vhffs.org/vhffs Archives ]

To: vhffs@xxxxxxxxx
Subject: Re: [vhffs] support HTTPS
From: Laurent Stella <olaulau@xxxxxxxxx>
Date: Wed, 6 Apr 2016 18:26:33 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=KNhkIaF4D4lPCPjqGzfZ9xjNo9RUHElTI8N3YWy2Cik=; b=VMXS8yX0HBlcTqWwmkjCcPOavxZVHsT86lmJdJC4ZXhXGuGEQrK96dmBF483YpL8l4 jjPC3HhRztjJsz/GhZwuvZeuronZd3OhmPaLR3g0P9XYh5uanMRyUglF0pCaLIR/uTBi IyJL4q8Xyi3SqWCQj/mOGQLt+2J6j/4tdY2t78vl4VZKciVwNSipTz1tIg4weFgIHq1S SqpBdyaTUMDczNdDwQXu26Nu3aPAyuJgWUvQ/o4Q/m7L2GUcAI2wPSYQWhGE5z566dZl uIFWV/teads9zCpvtInabqX+arwYdK8IlQO7nBCMIh2Ca/NPrekq0dFv4CRJwYbWrc0r +yvQ==

Salut Sylvain ;

merci beaucoup pour les config.
on a sensiblement la même chose sur nginx (en moins complexe évidement).
pour RPAF on a ca :

# cat /etc/apache2/mods-enabled/rpaf.conf
<IfModule rpaf_module>
RPAF_Enable On
RPAF_SetHostName On
RPAF_ProxyIPs 127.0.0.1
RPAF_Header X-Forwarded-For
RPAF_SetHTTPS On
RPAF_SetPort On
</IfModule>

quand RPAF_SetPort est à On, apache fait croire aux applis que le port est toujours 443 même si on requête en HTTP. à l'inverse, s'il est sur Off, il dit toujours 80 même en HTTPS.
du coup certaines applis se vautrent en générant des URL genre :
https://monsite.org:80/blabla ou http://monsite.org:443/blabla
bref j'ai essayé en lui envoyant toutes les en-têtes immaginables, rien à faire.

si t'as pas rencontré ce souci, tant pis, je vais continuer de chercher ... peut-être avec une version plus récente d'apache.

encore merci !

Laurent.

Le 06/04/2016 18:11, Sylvain Rochet a écrit :

Salut Laurent,

On Wed, Apr 06, 2016 at 03:57:18PM +0200, Laurent Stella wrote:

Salut Sylvain ;

(oui je sais ca fait beaucoup d'emails, je fais pas mal d'infra en ce
moment).
j'ai quelques merdes avec certaines appli PHP qui ont parfois du mal à s'y
retrouver entre HTTPS ou HTTP, port 80 ou 443 ... on a pourtant ajouté les
en-tête côté nginx, utilisé le module RPAF sur apache mais c'est un peu la
foire selon les cas.
quelle solution vous avez utilisé chez tuxfamily ?

On utilise RPAF aussi. Rien de vraiment spécial sinon.

si c'est la même, tu peux me copier des extraits de config stp ?

Ouaip, voila:


-- nginx --

# cat /etc/nginx/sites-enabled/tuxfamily 
server_names_hash_max_size 32768;
client_max_body_size 0;

server {
	listen 8080;
	listen [::]:8080 ipv6only=on;

	location /.well-known/acme-challenge/ {
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_pass http://192.168.1.30:80;
	}

	location / {
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_pass http://127.0.0.1:80;
	}
}

server {
	listen 8081 ssl;
	# We can't use ipv6only=on in snippets, it warns about duplicated
	# option, duplicate the snippet here
	listen [::]:8081 ssl ipv6only=on;

	ssl_session_cache      shared:SSL:10m;
	ssl_session_timeout    10m;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;
	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl ciphers list generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/ssl/private/dhparam.pem;

	location /.well-known/acme-challenge/ {
		return 404;
	}

	location / {
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_pass https://127.0.0.1:443;
	}

	ssl_certificate /etc/ssl/certs/tuxfamily.org.fullchain;
	ssl_certificate_key /etc/ssl/private/tuxfamily.org.key;
}

include /data/tls/conf/nginx-tls-proxy.conf;


# cat /etc/nginx/snippets/ssl-proxy.conf 
listen 8081 ssl;
listen [::]:8081 ssl;

ssl_session_cache      shared:SSL:10m;
ssl_session_timeout    10m;

# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl ciphers list generated by https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/private/dhparam.pem;

location /.well-known/acme-challenge/ {
	return 404;
}

location / {
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_pass https://127.0.0.1:443;
}


# head /data/tls/conf/nginx-tls-proxy.conf
server {
    server_name blog.libre.cc;

    ssl_certificate /data/tls/e/ba/1b96d9140085e476516eb93dee459/fullchain.pem;
    ssl_certificate_key /data/tls/e/ba/1b96d9140085e476516eb93dee459/privkey.pem;

    include snippets/ssl-proxy.conf;
}

server {
    server_name blog.lolica.org;

    ssl_certificate /data/tls/0/ec/c09da993dfe3721c7cd76062e01c9/fullchain.pem;
    ssl_certificate_key /data/tls/0/ec/c09da993dfe3721c7cd76062e01c9/privkey.pem;

    include snippets/ssl-proxy.conf;
}


-- apache --

# cat /etc/apache2/sites-enabled/tuxfamily 
ServerTokens Prod

HashType md5
HashEncoding hexa
HashSplit 2
HashLimit 6
HashDocumentRootSuffix htdocs
HashAddAliasPrefix www

#CoreDumpDirectory /tmp2

<VirtualHost *:80>
	ServerAdmin modo@xxxxxxxxxxxxxxxxxxx
	
	DocumentRoot /data/web

	HashEnable On
	ServerSignature On

	DirectoryIndex index.html index.xhtml index.php index.php5 index.php4 index.php3 index.phtml

	<Directory /data/web/>
		Options -ExecCGI Indexes SymLinksIfOwnerMatch +Includes MultiViews
		IndexIgnore */.quota */.*passw* */.htaccess
		IndexOptions NameWidth=*
		AllowOverride All
		order allow,deny
		allow from all
	</Directory>

	#ErrorLog /data/logs/web/incoming/${APACHE_HOSTNAME}/error.log
	ErrorLog syslog:local3
	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhffs
	#CustomLog /data/logs/web/incoming/${APACHE_HOSTNAME}/vhffs.log vhffs
	CustomLog ||/usr/local/bin/syslogger vhffs

	#RewriteLog /data/logs/web/incoming/${APACHE_HOSTNAME}/rewrite.log
	#RewriteLogLevel 9

	Alias /icons/ "/usr/share/apache2/icons/"
	<Directory "/usr/share/apache2/icons">
	    Options Indexes MultiViews
	    AllowOverride None
	    Order allow,deny
	    Allow from all
	</Directory>
</VirtualHost>

<VirtualHost *:443>
	ServerAdmin modo@xxxxxxxxxxxxxxxxxxx
	
	DocumentRoot /data/web

	HashEnable On
	ServerSignature On

	SSLEngine On
	SSLCertificateFile /etc/ssl/public/dummy-web.crt
	SSLCertificateKeyFile /etc/ssl/private/dummy-web.key

	DirectoryIndex index.html index.xhtml index.php index.php5 index.php4 index.php3 index.phtml

	<Directory /data/web/>
		Options -ExecCGI Indexes SymLinksIfOwnerMatch +Includes MultiViews
		IndexIgnore */.quota */.*passw* */.htaccess
		IndexOptions NameWidth=*
		AllowOverride All
		order allow,deny
		allow from all
	</Directory>

	#ErrorLog /data/logs/web/incoming/${APACHE_HOSTNAME}/error.log
	ErrorLog syslog:local3
	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhffs
	#CustomLog /data/logs/web/incoming/${APACHE_HOSTNAME}/vhffs.log vhffs
	CustomLog ||/usr/local/bin/syslogger vhffs

	#RewriteLog /data/logs/web/incoming/${APACHE_HOSTNAME}/rewrite.log
	#RewriteLogLevel 9

	Alias /icons/ "/usr/share/apache2/icons/"
	<Directory "/usr/share/apache2/icons">
	    Options Indexes MultiViews
	    AllowOverride None
	    Order allow,deny
	    Allow from all
	</Directory>	
</VirtualHost>


-- IPVS --

# cat /etc/ldirectord.cf
# Global Directives
checktimeout=20
checkinterval=3
autoreload=yes
logfile="/var/log/ldirectord.log"
#logfile="local0"
quiescent=no

# --- HTTP ---

virtual=212.85.158.4:80
        real=192.168.1.70:8080 masq 1000
        real=192.168.1.71:8080 masq 1000
        real=192.168.1.72:8080 masq 1000
        real=192.168.1.73:8080 masq 1000
        service=http
        virtualhost=hack.tuxfamily.org
        request="/ldirectordcheck.php"
        receive="ok"
        scheduler=wlc
        protocol=tcp
        checktype=negotiate
        persistent=30

virtual6=[2a02:2178:1000:201::4]:80
        real6=[2a02:2178:1000:200::70]:8080 masq 1000
        real6=[2a02:2178:1000:200::71]:8080 masq 1000
        real6=[2a02:2178:1000:200::72]:8080 masq 1000
        real6=[2a02:2178:1000:200::73]:8080 masq 1000
        service=http
        scheduler=wlc
        protocol=tcp
        # ldirectord does not support http check in IPv6
        checktype=connect
        persistent=30

virtual=212.85.158.4:443
        real=192.168.1.70:8081 masq 1000
        real=192.168.1.71:8081 masq 1000
        real=192.168.1.72:8081 masq 1000
        real=192.168.1.73:8081 masq 1000
        service=https
        virtualhost=hack.tuxfamily.org
        request="/ldirectordcheck.php"
        receive="ok"
        scheduler=wlc
        protocol=tcp
        checktype=negotiate
        persistent=30

virtual6=[2a02:2178:1000:201::4]:443
        real6=[2a02:2178:1000:200::70]:8081 masq 1000
        real6=[2a02:2178:1000:200::71]:8081 masq 1000
        real6=[2a02:2178:1000:200::72]:8081 masq 1000
        real6=[2a02:2178:1000:200::73]:8081 masq 1000
        service=https
        scheduler=wlc
        protocol=tcp
        # ldirectord does not support https check in IPv6
        checktype=connect
        persistent=30


Sylvain

Follow-Ups:
- Re: [vhffs] support HTTPS
  - From: Sylvain Rochet

References:
- Re: [vhffs] support HTTPS
  - From: Laurent Stella
- Re: [vhffs] support HTTPS
  - From: Sylvain Rochet

Messages sorted by: [ date | thread ]
Prev by Date: Re: [vhffs] panel : formulaire d'authentification
Next by Date: Re: [vhffs] support HTTPS
Previous by thread: Re: [vhffs] support HTTPS
Next by thread: Re: [vhffs] support HTTPS

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/