Bug 64847 - Incomplete SSL virtual host config seems to work but tells php it is not using SSL
Summary: Incomplete SSL virtual host config seems to work but tells php it is not usin...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.38
Hardware: All Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-24 08:34 UTC by Cameron Davidson
Modified: 2020-10-24 08:34 UTC (History)
0 users



Attachments
my default ssl virtualhost config stripped of comments (590 bytes, text/plain)
2020-10-24 08:34 UTC, Cameron Davidson
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Cameron Davidson 2020-10-24 08:34:46 UTC
Created attachment 37531 [details]
my default ssl virtualhost config stripped of comments

This is a home/testbed system, not exposed on the internet.

The installation is Debian 10 (current stable release), using Debian's configuration methods.
PHP is version 7.3.19-1~deb10u1, server API reports "Apache 2 handler"

I use my own certificates and the browsers trust the CA.

The virtual hosts are all cnames in local DNS and appear as subjectAltNames on the one certificate that Apache loads.

For some years it has seemed to work with the following configuration:
The main SSL config is created under Debian's system with
  <VirtualHost _default_:443>
where I replaced the snakeoil certificate and key with my own, but otherwise left alone (see attached)

Works fine for the main site.

Other virtual hosts were defined along the lines of
<VirtualHost *:80>
    ServerName vhost1.home.domain
	ServerAlias some extra names
    DocumentRoot "/var/www/virtuals/vhost1"
</VirtualHost>

<VirtualHost *:443>
    ServerName vhost1.home.domain
	ServerAlias same extra names
    DocumentRoot "/var/www/virtuals/vhost1"
</VirtualHost>

This has seemed to work for several years - it speaks plain http on port 80 and SSL/TLS on port 443 delivering whatever the vhost is supposed to supply.

The problem became apparent when I installed wordpress, both with the Debian package and then with the latest download. As soon as I enable https for the wordpress virtual host it goes into an infinite redirect loop, sending https requests to the same url.
The reason is that wordpress tests in php for the presence/value of $_SERVER['HTTPS'], and if that fails then it tests if $_SERVER['SERVER_PORT'] is 443.
That should have worked, but in this case, Apache2 reports to php that the entire request was done using SERVER_PORT= 80 and REQUEST_SCHEME = "http".  Which is just wrong, all traffic was port 443, as confirmed both by wireshark and by firefox developer tools.
To confirm these parameter values, I accessed phpinfo.php under each host.

The minimal fix is to add a few extra lines to the virtualhost declaration:
  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/my-cert.crt
  SSLCertificateKeyFile /etc/ssl/private/my-cert.key

If I just add "SSLEngine on" by itself then it complains about missing certificates
It seems I have misinterpreted the purpose of the _default_:443 - it looked to me like ssl parameters missing from the virtualhost 443 declarations were taken from _default_ declarations.

And there is no proxy anywhere that I am aware of, which is reported elsewhere as a cause of these wordpress symptoms.