HTTPS connexion on the port 80

Hi,

I'm new on this list and this is my first message. So, a little
presentation : I'm French, I work on Debian and I have a problem ;-)

On my server, I can only use port 80, for http and https access. So,
here is my /etc/apache2/sites-available/default file :
ServerAdmin me@mydomaine.org
<Directory />
Options FollowSymLinks
AllowOverride AuthConfig
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
alert, emerg. LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
NameVirtualHost *
<VirtualHost *>
ServerName site1.mydomaine.org
DocumentRoot /site1
</VirtualHost>

<VirtualHost *>
ServerName site2.mydomaine.org
DocumentRoot /site2
</VirtualHost>

<VirtualHost *>
ServerName site3.mydomaine.org
DocumentRoot /site3
SSLEngine on
SSLCertificateFile /ssl/site3.cert
SSLCertificateKeyFile /ssl/site3.key
</VirtualHost>

If I try https://site3.mydomaine.org:80/, it should works, no ?
In fact, it is ok for site1 and site2, and for site3, it works only in
http !!! It seems it should not work in http, no ?
If I open (only for tests) the 443 port, it works correctly in https.

Do you have any clue ?

Thanks.

David.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

David BERCOT wrote:
> Hi,
>
> I'm new on this list and this is my first message. So, a little
> presentation : I'm French, I work on Debian and I have a problem ;-)
>
> On my server, I can only use port 80, for http and https access. So,
> here is my /etc/apache2/sites-available/default file :
> ServerAdmin me@mydomaine.org
> <Directory />
> Options FollowSymLinks
> AllowOverride AuthConfig
> </Directory>
> ErrorLog /var/log/apache2/error.log
> # Possible values include: debug, info, notice, warn, error, crit,
> alert, emerg. LogLevel warn
> CustomLog /var/log/apache2/access.log combined
> ServerSignature On
> NameVirtualHost *
> <VirtualHost *>
> ServerName site1.mydomaine.org
> DocumentRoot /site1
> </VirtualHost>
>
> <VirtualHost *>
> ServerName site2.mydomaine.org
> DocumentRoot /site2
> </VirtualHost>
>
> <VirtualHost *>
> ServerName site3.mydomaine.org
> DocumentRoot /site3
> SSLEngine on
> SSLCertificateFile /ssl/site3.cert
> SSLCertificateKeyFile /ssl/site3.key
> </VirtualHost>
>
> If I try https://site3.mydomaine.org:80/, it should works, no ?
> In fact, it is ok for site1 and site2, and for site3, it works only in
> http !!! It seems it should not work in http, no ?
> If I open (only for tests) the 443 port, it works correctly in https.
>
> Do you have any clue ?
>
> Thanks.
>
> David.
>


same as if you want apache to listen on a different port, you have to
tell it to in ports.conf. never used https but if you change the 443 to
something else in ports.conf should work. I dont think they can both
use 80 though.


steve


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Le Sun, 09 Nov 2008 17:22:05 -0500,
steve <sfreilly@roadrunner.com> a écrit :
> David BERCOT wrote:
> > Hi,
> >
> > I'm new on this list and this is my first message. So, a little
> > presentation : I'm French, I work on Debian and I have a problem ;-)
> >
> > On my server, I can only use port 80, for http and https access. So,
> > here is my /etc/apache2/sites-available/default file :
> > ServerAdmin me@mydomaine.org
> > <Directory />
> > Options FollowSymLinks
> > AllowOverride AuthConfig
> > </Directory>
> > ErrorLog /var/log/apache2/error.log
> > # Possible values include: debug, info, notice, warn, error, crit,
> > alert, emerg. LogLevel warn
> > CustomLog /var/log/apache2/access.log combined
> > ServerSignature On
> > NameVirtualHost *
> > <VirtualHost *>
> > ServerName site1.mydomaine.org
> > DocumentRoot /site1
> > </VirtualHost>
> >
> > <VirtualHost *>
> > ServerName site2.mydomaine.org
> > DocumentRoot /site2
> > </VirtualHost>
> >
> > <VirtualHost *>
> > ServerName site3.mydomaine.org
> > DocumentRoot /site3
> > SSLEngine on
> > SSLCertificateFile /ssl/site3.cert
> > SSLCertificateKeyFile /ssl/site3.key
> > </VirtualHost>
> >
> > If I try https://site3.mydomaine.org:80/, it should works, no ?
> > In fact, it is ok for site1 and site2, and for site3, it works only
> > in http !!! It seems it should not work in http, no ?
> > If I open (only for tests) the 443 port, it works correctly in
> > https.
> >
> > Do you have any clue ?
> >
> > Thanks.
> >
> > David.
>
> same as if you want apache to listen on a different port, you have to
> tell it to in ports.conf. never used https but if you change the 443
> to something else in ports.conf should work. I dont think they can
> both use 80 though.

In fact, there is yet a 'Listen 80' in my ports.conf. So, I can't see
why I should replace 'Listen 443' by another 'Listen 80' ;-)
I think I should add a 'Listen nnn' if I'd like Apache to listen on the
nnn port...

To complete my precedent message, it works once this morning (with
https://site3.mydomaine.org:80/) but I don't know which differences
there are between my 'default' file this morning and the new one.

The error I have is :
Échec de la connexion sécurisée
Une erreur est survenue pendant une connexion Ã* site3.mydomaine.org:80.
SSL a reçu un enregistrement qui dépasse la longueur maximale autorisée.
(Code d'erreur : ssl_error_rx_record_too_long)
La page que vous essayez de consulter ne peut pas être affichée car
l'authenticité des données reçues ne peut être vérifiée.

I prefer no to translate it in order not to add wrong information ;-)
I hope the error message is explicit enough !

Thanks.

David.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Sun, Nov 9, 2008 at 5:10 PM, David BERCOT <debian@bercot.org> wrote:
> NameVirtualHost *
> <VirtualHost *>
> ServerName site1.mydomaine.org
> DocumentRoot /site1
> </VirtualHost>
>
> <VirtualHost *>
> ServerName site2.mydomaine.org
> DocumentRoot /site2
> </VirtualHost>
>
> <VirtualHost *>
> ServerName site3.mydomaine.org
> DocumentRoot /site3
> SSLEngine on
> SSLCertificateFile /ssl/site3.cert
> SSLCertificateKeyFile /ssl/site3.key
> </VirtualHost>

You need to tell apache to accept the port 443 traffic in a particular
vhost, and "*" doesn't work for that.

NameVirtualHost *:80
<virtualhost *:80>
....
</virtualhost>
<virtualhost *:80>
....
</virtualhost>

<virtualhost *:443>
SSLEngine on
....
</virtualhost>

--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Le Sun, 9 Nov 2008 18:16:55 -0500,
"Eric Covener" <covener@gmail.com> a écrit :
> On Sun, Nov 9, 2008 at 5:10 PM, David BERCOT <debian@bercot.org>
> wrote:
> > NameVirtualHost *
> > <VirtualHost *>
> > ServerName site1.mydomaine.org
> > DocumentRoot /site1
> > </VirtualHost>
> >
> > <VirtualHost *>
> > ServerName site2.mydomaine.org
> > DocumentRoot /site2
> > </VirtualHost>
> >
> > <VirtualHost *>
> > ServerName site3.mydomaine.org
> > DocumentRoot /site3
> > SSLEngine on
> > SSLCertificateFile /ssl/site3.cert
> > SSLCertificateKeyFile /ssl/site3.key
> > </VirtualHost>
>
> You need to tell apache to accept the port 443 traffic in a particular
> vhost, and "*" doesn't work for that.

Yes, but no ;-)
I want https traffic on port 80, nor 443 !!!

David.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Mon, Nov 10, 2008 at 2:03 AM, David BERCOT <debian@bercot.org> wrote:

> Yes, but no ;-)
> I want https traffic on port 80, nor 443 !!!
>

You can't do that, because the client needs to know whether to speak
http or https as soon as they send any data, and apache won't just try
to interpret it either way.

--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Le Mon, 10 Nov 2008 06:59:54 -0500,
"Eric Covener" <covener@gmail.com> a écrit :
> On Mon, Nov 10, 2008 at 2:03 AM, David BERCOT <debian@bercot.org>
> wrote:
>
> > Yes, but no ;-)
> > I want https traffic on port 80, nor 443 !!!
>
> You can't do that, because the client needs to know whether to speak
> http or https as soon as they send any data, and apache won't just try
> to interpret it either way.

But the client knows what to speak because I tell him :
httpS://site3.mondomaine:80/

David.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

David BERCOT <debian@bercot.org> writes:

> Le Mon, 10 Nov 2008 06:59:54 -0500,
> "Eric Covener" <covener@gmail.com> a écrit :
>> On Mon, Nov 10, 2008 at 2:03 AM, David BERCOT <debian@bercot.org>
>> wrote:
>>
>> > Yes, but no ;-)
>> > I want https traffic on port 80, nor 443 !!!
>>
>> You can't do that, because the client needs to know whether to speak
>> http or https as soon as they send any data, and apache won't just try
>> to interpret it either way.
>
> But the client knows what to speak because I tell him :
> httpS://site3.mondomaine:80/

Apache needs to know too. It can't see the Host passed from the client
until it has already started reading the request, which it can't do
until it has done an SSL handshake. How would it know whether to do
that or not, if port 80 is getting both SSL and non-SSL connections?

--
Dan Poirier <poirier@pobox.com>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Le Mon, 10 Nov 2008 15:55:17 -0500,
Dan Poirier <poirier@pobox.com> a écrit :
> David BERCOT <debian@bercot.org> writes:
> > Le Mon, 10 Nov 2008 06:59:54 -0500,
> > "Eric Covener" <covener@gmail.com> a écrit :
> >> On Mon, Nov 10, 2008 at 2:03 AM, David BERCOT <debian@bercot.org>
> >> wrote:
> >>
> >> > Yes, but no ;-)
> >> > I want https traffic on port 80, nor 443 !!!
> >>
> >> You can't do that, because the client needs to know whether to
> >> speak http or https as soon as they send any data, and apache
> >> won't just try to interpret it either way.
> >
> > But the client knows what to speak because I tell him :
> > httpS://site3.mondomaine:80/
>
> Apache needs to know too. It can't see the Host passed from the
> client until it has already started reading the request, which it
> can't do until it has done an SSL handshake. How would it know
> whether to do that or not, if port 80 is getting both SSL and non-SSL
> connections?

May be my knowledge of Apache configuration is not good, but there are
specific directives for SSL :

HTTP site :
<VirtualHost *:80>
ServerName site1.mondomaine.org
DocumentRoot /site1
</VirtualHost>

HTTPS site :
<VirtualHost *:80>
ServerName site2.mondomaine.org
DocumentRoot /site2
SSLEngine on
SSLCertificateFile /ssl/site2.cert
SSLCertificateKeyFile /ssl/site2.key
</VirtualHost>

I think that Apache knows that site1 is only HTTP and site2 is HTTPS.
Isn't it OK ?

David.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Mon, Nov 10, 2008 at 5:00 PM, David BERCOT <debian@bercot.org> wrote:
> Le Mon, 10 Nov 2008 15:55:17 -0500,
> Dan Poirier <poirier@pobox.com> a écrit :
>> David BERCOT <debian@bercot.org> writes:
>> > Le Mon, 10 Nov 2008 06:59:54 -0500,
>> > "Eric Covener" <covener@gmail.com> a écrit :
>> >> On Mon, Nov 10, 2008 at 2:03 AM, David BERCOT <debian@bercot.org>
>> >> wrote:
>> >>
>> >> > Yes, but no ;-)
>> >> > I want https traffic on port 80, nor 443 !!!
>> >>
>> >> You can't do that, because the client needs to know whether to
>> >> speak http or https as soon as they send any data, and apache
>> >> won't just try to interpret it either way.
>> >
>> > But the client knows what to speak because I tell him :
>> > httpS://site3.mondomaine:80/
>>
>> Apache needs to know too. It can't see the Host passed from the
>> client until it has already started reading the request, which it
>> can't do until it has done an SSL handshake. How would it know
>> whether to do that or not, if port 80 is getting both SSL and non-SSL
>> connections?
>
> May be my knowledge of Apache configuration is not good, but there are
> specific directives for SSL :
>
> HTTP site :
> <VirtualHost *:80>
> ServerName site1.mondomaine.org
> DocumentRoot /site1
> </VirtualHost>
>
> HTTPS site :
> <VirtualHost *:80>
> ServerName site2.mondomaine.org
> DocumentRoot /site2
> SSLEngine on
> SSLCertificateFile /ssl/site2.cert
> SSLCertificateKeyFile /ssl/site2.key
> </VirtualHost>
>
> I think that Apache knows that site1 is only HTTP and site2 is HTTPS.
> Isn't it OK ?

No, Apache has no chance to choose the 2nd vhost in time to be able to
do an SSL handshake.


--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org