On 03 Jul 2021, at 03:20, apache-httpd-us...@thomas.freit.ag wrote:
> On 02.07.21 09:27, @lbutlr wrote:
>> When checking for https HSTS compliance on htstpreload.org I get a warning 
>>> We cannot connect to https://example.net using TLS ("Get 
>>> https://example.net: http: server gave HTTP response to HTTPS client").

> What is in your access logs, can you identify the request and check which 
> virtual hosts served it? You can enable logging of the
> virtual host in the access log or log to dedicated files (see 
> https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats for
> a list of what is available).

The virtaulhost blocks I posted are for the virtual host that responds to the 
query, but I din't check the apache logs specifically.

The site works, and going to it on http redirects to https as expected, it is 
just this check tool that is complaining.

>> And I do not understand how this can be. The page in questions loads as 
>> https with a valid cert and the http query is set to redirect to https
>> <VirtualHost ip.ad.re.ss:443>
>>   ServerName www.example.net
>>   ServerAlias foo.example.net
>>   ServerAlias example.net
>>   DocumentRoot /usr/local/www/example/
>>   DirectoryIndex index.html
>>   ProxyPassMatch ^/(.*\.php)$ fcgi://$1
>>   SSLEngine on
>>   SSLCertificateFile /usr/local/etc/dehydrated/certs/example.net/cert.pem
>>   SSLCertificateKeyFile 
>> /usr/local/etc/dehydrated/certs/example.net/privkey.pem
>>   SSLCertificateChainFile 
>> /usr/local/etc/dehydrated/certs/example.net/chain.pem
>>   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
>>   SSLHonorCipherOrder on
>>   SSLCipherSuite 
>>   #SSLUseStapling On
>>   Header always set Strict-Transport-Security "max-age=15638400; 
>> includeSubdomains;"
>>   Header always set X-Frame-Options DENY
>>   Alias /.well-known/ /usr/local/www/.well-known/
>> </VirtualHost>
>> <VirtualHost *:80>
>>   ServerName www.example.net
>>   ServerAlias foo,example.net
>>   ServerAlias example.net
>>   ServerAlias webmail.example.net
>>   Redirect / https://www.example.net/
>>   Alias /.well-known/ /usr/local/www/.well-known/
>> </VirtualHost>
> I do not see anything onbviously wrong here (there is a typo on "ServerAlias 
> foo,example.net" though, assume this is just an example issue).

Oops, yes.

> However, your TLS virtualhost is bound to a fixed IP, your plain HTTP virtual 
> host is bound to all available IPs on the machine.

Yes, that is intentional. Is this wrong?

> My guess would be virtual host mismatch or a DNS specific issue (does 
> example.net resolve to different IPs for different resolvers?)

Nope. It resolves to the IP used in the main VitualHost block.

> access logs may reveal some more information on that.

I will check, but since everything goes to where it should, I don't think that 
is the issue.

'It is always useful to face an enemy who is prepared to die for his
        country,' he read. 'This means that both you and he have exactly
        the same aim in mind.'

To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to