Apache Error 400 When requested via https. How to find the reason?

L

LeonEdel2017-06-09 14:44:51

Apache HTTP Server

LeonEdel, 2017-06-09 14:44:51

Hello!
Physical server, Debian, ISPmanager, Apache, PHP as an Apache module.
I recently bought a certificate, installed it via ISPManager. When you go through my.domain - the site opens and works fine. But when going through https://my.domain - Chrome does not open the site at all, and Mozilla, Safari and others display a 400 error.
MOD_SSL - enabled. ssl.conf content:

<IfModule mod_ssl.c>

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout  300

SSLMutex  file:${APACHE_RUN_DIR}/ssl_mutex

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
SSLInsecureRenegotiation off

# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
SSLStrictSNIVHostCheck off

</IfModule>

apache2.conf:

# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
#	/etc/apache2/
#	|-- apache2.conf
#	|	`--  ports.conf
#	|-- mods-enabled
#	|	|-- *.load
#	|	`-- *.conf
#	|-- conf.d
#	|	`-- *
# 	`-- sites-enabled
#	 	`-- *

#ServerRoot "/etc/apache2"

LockFile ${APACHE_LOCK_DIR}/accept.lock

PidFile ${APACHE_PID_FILE}

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5

##
## Server-Pool Size Regulation (MPM specific)
## 

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
#              graceful restart. ThreadLimit can only be changed by stopping
#              and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75 
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

<IfModule mpm_event_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75 
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

DefaultType None

HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf

# Include list of ports to listen on and which to use for name based vhosts
Include ports.conf

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include generic snippets of statements
Include conf.d/


# Include the virtual host configurations:
Include sites-enabled/
Include vhosts-default/
Include vhosts/

ports.conf:

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
#    Listen 443
</IfModule>

I changed it and vhosts by adding the IP of the server, it works via http in any case.
vhost content:

<VirtualHost *:80>
  ServerName my.domain
  SSLEngine off
  RequestHeader set X-Forwarded-Proto 'http'
  DocumentRoot /var/www/www-root/data/www/my.domain
  ServerAdmin [email protected]
  AddDefaultCharset UTF-8
  AssignUserID www-root www-root
  CustomLog /var/www/httpd-logs/my.domain.access.log combined
  ErrorLog /var/www/httpd-logs/my.domain.error.log
    <FilesMatch "\.ph(p[3-5]?|tml)$">
    SetHandler application/x-httpd-php
  </FilesMatch>
  ServerName my.domain
  ScriptAlias /cgi-bin/ /var/www/www-root/data/www/my.domain/cgi-bin/
  ScriptAlias /php-bin/ /var/www/php-bin/www-root/
  ServerAlias www.my.domain
  <FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
  </FilesMatch>
  <IfModule php5_module>
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f [email protected]"
    php_admin_value upload_tmp_dir "/var/www/www-root/data/mod-tmp"
    php_admin_value session.save_path "/var/www/www-root/data/mod-tmp"
    php_admin_value open_basedir "none"
  </IfModule>
  <IfModule php7_module>
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f [email protected]"
    php_admin_value upload_tmp_dir "/var/www/www-root/data/mod-tmp"
    php_admin_value session.save_path "/var/www/www-root/data/mod-tmp"
    php_admin_value open_basedir "none"
  </IfModule>
</VirtualHost>
<Directory /var/www/www-root/data/www/my.domain>
    AllowOverride All
  Options +Includes +ExecCGI
  <IfModule php5_module>
    php_admin_flag engine on
  </IfModule>
  <IfModule php7_module>
    php_admin_flag engine on
  </IfModule>
</Directory>
<VirtualHost *:443>
  ServerName my.domain
  RequestHeader set X-Forwarded-Proto 'https'
  RequestHeader set X-Forwarded-Ssl on
  DocumentRoot /var/www/www-root/data/www/my.domain
  ServerAdmin [email protected]
  AddDefaultCharset UTF-8
  SSLEngine on
  SSLCertificateFile "/var/www/httpd-cert/www-root/my.domain.crt"
  SSLCertificateKeyFile "/var/www/httpd-cert/www-root/my.domain.key"
  SSLCertificateChainFile "/var/www/httpd-cert/www-root/my.domain.ca"
  SSLHonorCipherOrder on
  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH 
  AssignUserID www-root www-root
  CustomLog /var/www/httpd-logs/my.domain443.access.log combined
  ErrorLog /var/www/httpd-logs/my.domain443.error.log
  <FilesMatch "\.ph(p[3-5]?|tml)$">
    SetHandler application/x-httpd-php
  </FilesMatch>
  ServerName my.domain
  ScriptAlias /cgi-bin/ /var/www/www-root/data/www/my.domain/cgi-bin/
  CustomLog /var/www/httpd-logs/my.domain.access.log combined
  ErrorLog /var/www/httpd-logs/my.domain.error.log
  ScriptAlias /php-bin/ /var/www/php-bin/www-root/
  ServerAlias www.my.domain
  <FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
  </FilesMatch>
  <IfModule php5_module>
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f [email protected]"
    php_admin_value upload_tmp_dir "/var/www/www-root/data/mod-tmp"
    php_admin_value session.save_path "/var/www/www-root/data/mod-tmp"
    php_admin_value open_basedir "none"
  </IfModule>
  <IfModule php7_module>
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f [email protected]"
    php_admin_value upload_tmp_dir "/var/www/www-root/data/mod-tmp"
    php_admin_value session.save_path "/var/www/www-root/data/mod-tmp"
    php_admin_value open_basedir "none"
  </IfModule>
</VirtualHost>

I started SSL verification through the sites, everything works, the certificate works when I go to ISPmanager at my.domain:1500 . But through https://my.domain - error 400, https://my.domain:443 - too.
Ports 80 and 443 are listened to by apache.
It seems to be set up correctly, so it seems that due to the lack of experience in this matter, I'm missing something ...
I would be glad for any help)

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

L

LeonEdel, 2017-06-09
@LeonEdel

Everything works fine, it turned out to be a problem in the framework config, where https connections were prohibited.