Redirect non-SSL requests to SSL mode?

22 posts / 0 new
Last post
#1 Wed, 12/13/2017 - 05:38
toofastdad

Redirect non-SSL requests to SSL mode?

After selecting the option Redirect non-SSL requests to SSL mode? in Webmin/Usermin Configuration. Shouldn't it change http://toofastdad.com to https://toofastdad.com

TIA

Mon, 12/18/2017 - 00:37
Matth
Matth's picture

Hello toofastdad,

This options is acting for you Webmin admin page not for the website you are hosting. So basically it's doing this changes http://toofastdad.com :10000 to https://toofastdad.com :10000

if you want to do that for your website you need to add this redirect to your virtual host

  1. Editing your Apache config
  2. RedirectMatch ^/(?!.well-known)(.*)$ https://toofastdad.com/$1
  3. Using the interface (Authentic theme) it's in the redirect options
  4.   Services > Configure website > Aliases and redirect
     
    Source URL path > ^/(?!.well-known) Destination URL at other website > https://toofastdad.com/$1 Enable redirect for > Non-SSL website

Finally the reason why .well-known folder is excluded from the redirection is to be able to request a certificate using let's encrypt, if you don't need it you can adapt the Source URL path to your needs.

kind regards

Matth

Mon, 12/18/2017 - 16:45 (Reply to #2)
toofastdad

Thanks Matth, I followed your instructions — please view screen captures https://drive.google.com/open?id=15iJ18wXVdCXLReFfIjGbygaBTzV7-AVe.

When I type in the URL toofastdad.com it isn't https://toofastdad.com

I'm wondering if I put the code in the wrong places, or I missed a step.

Thanks... Colin

colin

Mon, 12/18/2017 - 18:56
Matth
Matth's picture

Hello Colin,

The RedirectMatch ^/(?!.well-known)(.*)$ https://toofastdad.com/$1 is on the Regex URL redirect in "Aliases and redirects"
Also When you "Edit Website Redirect" put check Include sub-path in Redirect.
Finally in "Server Configuration > manage SSL Certificate" do you see your Let's Encrypt Certificate in the "Current Certificate" tab ?

Matth

Tue, 12/19/2017 - 17:17
toofastdad

Hi Matth,

I made the changes listed above and encrypted the Current Certificate and selected Only Update Renewal. However, when I type in the browser http://toofastdad.com/ I get 403 Forbidden and when I type in https://toofastdad.com/ it goes to the web page. I've looked around but don't see where I am going wrong :(

Thanks... C

colin

Tue, 12/19/2017 - 19:32
Matth
Matth's picture

Hello Colin,

You have probably an issue with the redirect on your Apache config. could you show how your config looks you can post it here by using the tag <code> .
See More information about text formats if you have syntax issues.

Thanks

Matth

Wed, 12/20/2017 - 00:10
toofastdad

Here's the code

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch. 
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin root@localhost

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"

#
# Relax access to content within /var/www.
#
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
    LogFormat "%h %l %u %t "%r" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    #CustomLog "logs/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig /etc/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default.  To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    #
    # The mod_mime_magic module allows the server to use various hints from the
    # contents of the file itself to determine its type.  The MIMEMagicFile
    # directive tells the module where the hint definitions are located.
    #
    MIMEMagicFile conf/magic
</IfModule>

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on

# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
ServerTokens Minimal
ServerSignature Off
TraceEnable Off
<VirtualHost 208.79.218.197:80 [2605:6f00:9000::100:8dc3]:80>
SuexecUserGroup "#1000" "#1000"
ServerName toofastdad.com
ServerAlias www.toofastdad.com
ServerAlias webmail.toofastdad.com
ServerAlias admin.toofastdad.com
ServerAlias autoconfig.toofastdad.com
ServerAlias autodiscover.toofastdad.com
DocumentRoot /home/toofastdad/public_html
ErrorLog /var/log/virtualmin/toofastdad.com_error_log
CustomLog /var/log/virtualmin/toofastdad.com_access_log combined
ScriptAlias /cgi-bin/ /home/toofastdad/cgi-bin/
ScriptAlias /AutoDiscover/AutoDiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
ScriptAlias /Autodiscover/Autodiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
ScriptAlias /autodiscover/autodiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/toofastdad/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php7.0
FCGIWrapper /home/toofastdad/fcgi-bin/php7.0.fcgi .php
FCGIWrapper /home/toofastdad/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/toofastdad/fcgi-bin/php7.0.fcgi .php7.0
</Directory>
<Directory /home/toofastdad/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.toofastdad.com
RewriteRule ^(.*) https://toofastdad.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.toofastdad.com
RewriteRule ^(.*) https://toofastdad.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
Alias /dav "/home/toofastdad/public_html"
ProxyPass /dav/ !
ProxyPassReverse /dav/ !
<Location /dav>
DAV on
AuthType Basic
AuthName "toofastdad.com"
AuthUserFile /home/toofastdad/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
RewriteEngine off
</Location>
<Proxy *>
allow from all
</Proxy>
Redirect /mail/config-v1.1.xml "/cgi-bin/autoconfig.cgi"
php_value memory_limit 32M
php_value suhosin.session.encrypt Off
IPCCommTimeout 41
RedirectMatch /.well-known/autoconfig/mail/config-v1.1.xml(.*)$ "/cgi-bin/autoconfig.cgi"
RedirectMatch ^/(?!.well-known) "https://toofastdad.com/$1"
</VirtualHost>
<VirtualHost 208.79.218.197:443 [2605:6f00:9000::100:8dc3]:443>
SuexecUserGroup "#1000" "#1000"
ServerName toofastdad.com
ServerAlias www.toofastdad.com
ServerAlias webmail.toofastdad.com
ServerAlias admin.toofastdad.com
ServerAlias autoconfig.toofastdad.com
ServerAlias autodiscover.toofastdad.com
DocumentRoot /home/toofastdad/public_html
ErrorLog /var/log/virtualmin/toofastdad.com_error_log
CustomLog /var/log/virtualmin/toofastdad.com_access_log combined
ScriptAlias /cgi-bin/ /home/toofastdad/cgi-bin/
ScriptAlias /AutoDiscover/AutoDiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
ScriptAlias /Autodiscover/Autodiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
ScriptAlias /autodiscover/autodiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/toofastdad/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php7.0
FCGIWrapper /home/toofastdad/fcgi-bin/php7.0.fcgi .php
FCGIWrapper /home/toofastdad/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/toofastdad/fcgi-bin/php7.0.fcgi .php7.0
</Directory>
<Directory /home/toofastdad/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.toofastdad.com
RewriteRule ^(.*) https://toofastdad.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.toofastdad.com
RewriteRule ^(.*) https://toofastdad.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
SSLEngine on
SSLCertificateFile /home/toofastdad/ssl.cert
SSLCertificateKeyFile /home/toofastdad/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Alias /dav /home/toofastdad/public_html
ProxyPass /dav/ !
ProxyPassReverse /dav/ !
<Location /dav>
DAV on
AuthType Basic
AuthName "toofastdad.com"
AuthUserFile /home/toofastdad/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
RewriteEngine off
</Location>
<Proxy *>
allow from all
</Proxy>
Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
SSLCACertificateFile /home/toofastdad/ssl.ca
php_value memory_limit 32M
php_value suhosin.session.encrypt Off
IPCCommTimeout 41
RedirectMatch /.well-known/autoconfig/mail/config-v1.1.xml(.*)$ /cgi-bin/autoconfig.cgi
</VirtualHost>
SSLProtocol +TLSv1.2

colin

Wed, 12/20/2017 - 00:25
Matth
Matth's picture

Hello colin,

It seems your redirect is not correct, you have
RedirectMatch ^/(?!.well-known) "https://toofastdad.com/$1"
you should have
RedirectMatch ^/(?!.well-known)(.*)$ https://toofastdad.com/$1

EDIT: I just noticed i have this in my config has well, you may have to add it at the same place

<Directory /home/toofastdad/public_html>
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://toofastdad.com/$1 [R,L]
</Directory >

Matth

Wed, 12/20/2017 - 06:28
toofastdad

Hi Matt, I added the changes above and it still is not working, it is odd that the quotes appeared around the code that I pasted in, I looked back at the previous screen capture that I'd posted and they were not in then — a mystery.

I've supplied the new config code below. The new code snippets that I added, are they in the correct place in the config file?

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch. 
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin root@localhost

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"

#
# Relax access to content within /var/www.
#
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
    LogFormat "%h %l %u %t "%r" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    #CustomLog "logs/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig /etc/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default.  To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    #
    # The mod_mime_magic module allows the server to use various hints from the
    # contents of the file itself to determine its type.  The MIMEMagicFile
    # directive tells the module where the hint definitions are located.
    #
    MIMEMagicFile conf/magic
</IfModule>

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on

# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
ServerTokens Minimal
ServerSignature Off
TraceEnable Off
<VirtualHost 208.79.218.197:80 [2605:6f00:9000::100:8dc3]:80>
SuexecUserGroup "#1000" "#1000"
ServerName toofastdad.com
ServerAlias www.toofastdad.com
ServerAlias webmail.toofastdad.com
ServerAlias admin.toofastdad.com
ServerAlias autoconfig.toofastdad.com
ServerAlias autodiscover.toofastdad.com
DocumentRoot /home/toofastdad/public_html
ErrorLog /var/log/virtualmin/toofastdad.com_error_log
CustomLog /var/log/virtualmin/toofastdad.com_access_log combined
ScriptAlias /cgi-bin/ /home/toofastdad/cgi-bin/
ScriptAlias /AutoDiscover/AutoDiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
ScriptAlias /Autodiscover/Autodiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
ScriptAlias /autodiscover/autodiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/toofastdad/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php7.0
FCGIWrapper /home/toofastdad/fcgi-bin/php7.0.fcgi .php
FCGIWrapper /home/toofastdad/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/toofastdad/fcgi-bin/php7.0.fcgi .php7.0
</Directory>
<Directory /home/toofastdad/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.toofastdad.com
RewriteRule ^(.*) https://toofastdad.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.toofastdad.com
RewriteRule ^(.*) https://toofastdad.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
Alias /dav "/home/toofastdad/public_html"
ProxyPass /dav/ !
ProxyPassReverse /dav/ !
<Location /dav>
DAV on
AuthType Basic
AuthName "toofastdad.com"
AuthUserFile /home/toofastdad/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
RewriteEngine off
</Location>
<Proxy *>
allow from all
</Proxy>
Redirect /mail/config-v1.1.xml "/cgi-bin/autoconfig.cgi"
php_value memory_limit 32M
php_value suhosin.session.encrypt Off
IPCCommTimeout 41
RedirectMatch /.well-known/autoconfig/mail/config-v1.1.xml(.*)$ "/cgi-bin/autoconfig.cgi"
RedirectMatch ^/(?!.well-known)(.*)$ https://toofastdad.com/$1
</VirtualHost>
<Directory /home/toofastdad/public_html>
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://toofastdad.com/$1 [R,L]
</Directory>
<VirtualHost 208.79.218.197:443 [2605:6f00:9000::100:8dc3]:443>
SuexecUserGroup "#1000" "#1000"
ServerName toofastdad.com
ServerAlias www.toofastdad.com
ServerAlias webmail.toofastdad.com
ServerAlias admin.toofastdad.com
ServerAlias autoconfig.toofastdad.com
ServerAlias autodiscover.toofastdad.com
DocumentRoot /home/toofastdad/public_html
ErrorLog /var/log/virtualmin/toofastdad.com_error_log
CustomLog /var/log/virtualmin/toofastdad.com_access_log combined
ScriptAlias /cgi-bin/ /home/toofastdad/cgi-bin/
ScriptAlias /AutoDiscover/AutoDiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
ScriptAlias /Autodiscover/Autodiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
ScriptAlias /autodiscover/autodiscover.xml /home/toofastdad/cgi-bin/autoconfig.cgi
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/toofastdad/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php7.0
FCGIWrapper /home/toofastdad/fcgi-bin/php7.0.fcgi .php
FCGIWrapper /home/toofastdad/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/toofastdad/fcgi-bin/php7.0.fcgi .php7.0
</Directory>
<Directory /home/toofastdad/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.toofastdad.com
RewriteRule ^(.*) https://toofastdad.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.toofastdad.com
RewriteRule ^(.*) https://toofastdad.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
SSLEngine on
SSLCertificateFile /home/toofastdad/ssl.cert
SSLCertificateKeyFile /home/toofastdad/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Alias /dav /home/toofastdad/public_html
ProxyPass /dav/ !
ProxyPassReverse /dav/ !
<Location /dav>
DAV on
AuthType Basic
AuthName "toofastdad.com"
AuthUserFile /home/toofastdad/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
RewriteEngine off
</Location>
<Proxy *>
allow from all
</Proxy>
Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
SSLCACertificateFile /home/toofastdad/ssl.ca
php_value memory_limit 32M
php_value suhosin.session.encrypt Off
IPCCommTimeout 41
RedirectMatch /.well-known/autoconfig/mail/config-v1.1.xml(.*)$ /cgi-bin/autoconfig.cgi
</VirtualHost>
SSLProtocol +TLSv1.2

colin

Wed, 12/20/2017 - 18:14
toofastdad

I have spent some time looking at the config file to see if I can make any sense of it. Are the code snippets that I have placed in the file in the correct places? Here is the error log:

[Wed Dec 20 19:30:02.028319 2017] [authz_core:error] [pid 27339] [client 208.79.218.197:39446] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 19:35:02.447563 2017] [authz_core:error] [pid 13303] [client 208.79.218.197:39464] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 19:40:02.661033 2017] [authz_core:error] [pid 27338] [client 208.79.218.197:39482] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 19:45:02.740771 2017] [authz_core:error] [pid 27339] [client 208.79.218.197:39500] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 19:50:03.286069 2017] [authz_core:error] [pid 13303] [client 208.79.218.197:39518] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 19:53:57.493461 2017] [authz_core:error] [pid 27363] [client 142.68.135.36:52388] AH01630: client denied by server configuration: /etc/httpd/https:, referer: http://toofastdad.com/
[Wed Dec 20 19:53:57.493498 2017] [authz_core:error] [pid 8745] [client 142.68.135.36:52387] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 19:55:02.181508 2017] [authz_core:error] [pid 4457] [client 208.79.218.197:39536] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 19:55:48.930629 2017] [authz_core:error] [pid 13303] [client 142.68.135.36:52480] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 19:55:48.931093 2017] [authz_core:error] [pid 29825] [client 142.68.135.36:52481] AH01630: client denied by server configuration: /etc/httpd/https:, referer: http://toofastdad.com/
[Wed Dec 20 20:00:02.375049 2017] [authz_core:error] [pid 4457] [client 208.79.218.197:39554] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 20:05:02.507154 2017] [authz_core:error] [pid 13303] [client 208.79.218.197:39572] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 20:10:02.595827 2017] [authz_core:error] [pid 29825] [client 208.79.218.197:39594] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 20:13:54.616017 2017] [authz_core:error] [pid 27338] [client 142.68.135.36:52732] AH01630: client denied by server configuration: /etc/httpd/https:, referer: http://toofastdad.com/
[Wed Dec 20 20:13:54.616017 2017] [authz_core:error] [pid 27339] [client 142.68.135.36:52731] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 20:14:07.773112 2017] [authz_core:error] [pid 8745] [client 142.68.135.36:52760] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 20:14:07.773112 2017] [authz_core:error] [pid 27363] [client 142.68.135.36:52761] AH01630: client denied by server configuration: /etc/httpd/https:, referer: http://toofastdad.com/
[Wed Dec 20 20:14:12.702338 2017] [authz_core:error] [pid 27363] [client 142.68.135.36:52761] AH01630: client denied by server configuration: /etc/httpd/https:
[Wed Dec 20 20:14:12.733383 2017] [authz_core:error] [pid 4454] [client 142.68.135.36:52771] AH01630: client denied by server configuration: /etc/httpd/https:, referer: http://toofastdad.com/
[Wed Dec 20 20:15:02.979917 2017] [authz_core:error] [pid 8747] [client 208.79.218.197:39612] AH01630: client denied by server configuration: /etc/httpd/https:

Thanks for your patience :)

colin

Wed, 12/20/2017 - 22:37
Matth
Matth's picture

Hello Colin,

If you look up in your config you already have a section
<Directory /home/toofastdad/public_html>
Then within this section you can put this line below

RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://toofastdad.com/$1 [R,L]

Once done hit the save config on the top right corner or restart Apache service.

Matth

Thu, 12/21/2017 - 05:55
toofastdad

Hi Matth... you are the champion — it works :)

Thank you very much in helping me with SSL and the config file. I learned a lot about an area that I am not familiar with, I will take some time to study the file and try to dig a little deeper in using Virtualmin/Webmin. I really appreciate your knowledge and your patience helping tweak my server, I think I am now ready to start designing and building a couple of sites that will be hosted on sub-servers of toofastdad.com

Once again — thank you.

colin

Thu, 01/04/2018 - 01:28
stom
stom's picture

There's a way to do this without having to edit config files.

  • Under VirtualMin tab select your domain.
  • Go to Services -> Configure Website (NOT Configure Website for SSL)
  • Go to Aliases & Redirects
  • In the "Permanant URL redirects" fields set "From" to: / Set "To" to: https://www.your-domain.com/
  • Click Save
  • Click the Reload symbol at the top right to apply the changes in Apache.

Job done! I hope this helps.

Thu, 01/04/2018 - 02:05 (Reply to #13)
Matth
Matth's picture

Effectively this is working, until you'll have to renew your let's encrypt(LE) certificate (every 2 months roughly).
Doing so you redirect all folders to the https address but LE requires to access your website in http only that's why you have to exclude .well-knwon from the redirection so you can access your website using https and LE will access .well-known in http only.

Matth

Thu, 01/04/2018 - 02:08
stom
stom's picture

I have been able to successfully renew my certificates with these redirections in place. I assumed Virtualmin temporarily disabled them?

Thu, 01/04/2018 - 19:05
Matth
Matth's picture

Hum, I don't think so, Virtualmin does a lot's of stuff for you but not that much. You confirm you have cleaned up the redirect you had manually added to you Apache config file ? As soon as i have time I'll give it a try to see what it does.

Matth

Thu, 01/04/2018 - 19:17 (Reply to #16)
toofastdad

Hi Matth... this was already working me — I replied to your earlier response and your suggestions worked, you are now responding to someone else who commented in this post.

Thanks... Colin

colin

Fri, 01/05/2018 - 23:04 (Reply to #17)
Matth
Matth's picture

Sorry Colin, I didn't realize it was someone else.

Matth

Thu, 01/04/2018 - 22:34
stom
stom's picture

Apologies for the confusion, I was sure I had succesfully renewed certificates with the redirects I mentioned in place, but I guess I was mistaken. Sorry, have bookmarked your advice for future reference myself!

Fri, 01/05/2018 - 23:05 (Reply to #19)
Matth
Matth's picture

Good news thanks for confirming

Matth

Sun, 02/10/2019 - 05:58
shillongserver

@Matth

LE requires to access your website in http only that's why you have to exclude .well-knwon from the redirection so you can access your website using https and LE will access .well-known in http only.

I have just installed virtualmin successfully on my Centos 7 server, added LE certificate to my virtual servers and successfully redirect all http requests to https. How do I let LE access the .well-known folder in http after 2 months as you mentioned above?

Web Design | WordPress Site Development | WordPress Site Maintenance | Private Managed Server Hosting - Complete WordPress Package

Mon, 02/11/2019 - 18:27 (Reply to #21)
stom
stom's picture

I think that's covered in the second part of Matt's instructions in post #2 of this thread?

Topic locked