Apache 2.4 SSL Config - Servidor rejeita pedidos com HTTP 400 [fechado]

1

Estou tendo alguns problemas com a configuração do Apache 2.4. Acessar o link sempre retorna este http 400.

Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

Estou acessando meu site por meio de https diretamente, para que não haja redirecionamento de http para https envolvido. Abaixo da minha configuração do apache. Estou ciente de que não verifico os certificados quanto à validade. No momento, eles apenas assinaram, mas isso vai mudar no futuro.

##################################################################
###                                                            ###
###   Global Settings                                          ###
###                                                            ###
##################################################################

    DocumentRoot /var/ebc/apache2/www/htdocs
    <Location /fwcheck.html>
        <RequireAll>
            Require all granted
        </RequireAll>
    </Location>

##################################################################
###                                                            ###
###   Global SSL Settings                                      ###
###                                                            ###
##################################################################

    SSLProtocol             ALL -SSLv2 -SSLv3
    SSLProxyProtocol        ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder     on
    SSLCipherSuite          ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
    SSLCompression          off
    SSLSessionTickets       off

    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling                      on
    SSLStaplingResponderTimeout         5
    SSLStaplingReturnResponderErrors    off
    SSLStaplingCache                    shmcb:/var/ebc/apache2/sslstaplingcache(128000)

##################################################################
###                                                            ###
###   Virtual Hosts                                            ###
###                                                            ###
##################################################################

<VirtualHost 10.173.144.43:80>
    ErrorLog /var/ebc/apache2/log/error.log
    CustomLog /var/ebc/apache2/log/access.log vhost_combined

    ##################################################################
    ###                                                            ###
    ###   Send everything to https except firewall check           ###
    ###   vhost config only for port 443 necessary.                ###
    ###   No further config for port 80.                           ###
    ###                                                            ###
    ##################################################################

        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !fwcheck.html
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    ##################################################################
</VirtualHost>

<VirtualHost 10.173.144.43:443>
    ServerName subdomain.my-domain.com
    ErrorLog /var/ebc/apache2/log/error.log
    CustomLog /var/ebc/apache2/log/access.log vhost_combined

    ##################################################################
    ###                                                            ###
    ###   SSL Settings                                             ###
    ###                                                            ###
    ##################################################################

        RequestHeader set ClientProtocol HTTPS
        SSLEngine       On
        SSLProxyEngine  On

        SSLCertificateFile      /var/ebc/apache2/ssl/subdomain.my-domain.com.crt
        SSLCertificateKeyFile   /var/ebc/apache2/ssl/subdomain.my-domain.com.key
        SSLCACertificateFile    /var/ebc/apache2/ssl/subdomain.my-domain.com.crt

        ProxyRequests       off
        ProxyPreserveHost   on

        # Disable certificate checks
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off

        # HSTS (15768000 seconds = 6 months)
        Header always set Strict-Transport-Security "max-age=15768000"

    ##################################################################
    ###                                                            ###
    ###   Locations                                                ###
    ###                                                            ###
    ##################################################################

        DocumentRoot /var/ebc/apache2/www/htdocs/prod

        <Location />
            Options None
            <RequireAll>
                Require all granted
            </RequireAll>
        </Location>

        <Location /web-status>
            <RequireAll>
                Require all denied
            </RequireAll>
        </Location>

        <Location /balancer-manager>
            <RequireAll>
                Require all denied
            </RequireAll>
        </Location>

    ##################################################################
</VirtualHost>

Eu realmente não tenho idéia do porque isso não funciona. Alguém pode me dar uma dica?

    
por Sebastian Sommerfeld 18.01.2016 / 16:57

3 respostas

1

O problema está resolvido. Minha configuração do apache, conforme postada acima, está correta. O problema era uma configuração falsa de firewall. Como eu mesmo não alterei as configurações do firewall, não posso postar a solução real, mas como disse, a configuração do apache acima funciona.

    
por 19.01.2016 / 10:12
0

Sua conexão não chega na interface 10.173.144.43:443, por isso não é tratada pelo seu VirtualHost. Ele atinge a configuração principal do servidor que não tem SSL ativado.

Se você não se importa com a interface local, use um * no VirtualHost.

Talvez sua alteração de firewall tenha sido feita para que algum pedido de entrada agora use a interface / IP nomeada, mas ela será interrompida assim que você testar a partir da linha de comando com localhost.

    
por 02.02.2016 / 23:47
-1

Você está tentando acessar seu servidor via telnet ? Em caso afirmativo, isso não funcionará corretamente para páginas seguras (por exemplo, https).

Você precisa usar ferramentas projetadas para isso; por exemplo. o conjunto de ferramentas OpenSSL.

Experimente o seguinte conjunto de comandos:

  1. openssl s_client -connect <server>:<port>
  2. GET / HTTP/1.1
por 18.01.2016 / 17:07