Tealk
commented
5 years ago sill the same
but even if I manually insert it into the vhost, it doesn't seem to work.
Closed Tealk closed 4 years ago
Tealk
commented
5 years ago sill the same
but even if I manually insert it into the vhost, it doesn't seem to work.
mitchellkrogza
commented
5 years ago So if you modify your whole vhost manually like this it does not work? that's just not possible. There's other security that is completely bypassing it then.
# 35_froxlor_ssl_vhost_anzahcraft.de.conf
# Created 22.08.2019 19:55
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
# Domain ID: 23 (SSL) - CustomerID: 1 - CustomerLogin: Anzah
<VirtualHost 185.170.112.156:443 [2a03:4000:15:68f::b9aa:709c]:443>
ServerName anzahcraft.de
ServerAlias www.anzahcraft.de
ServerAdmin MAIL
SSLEngine On
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
Protocols h2 http/1.1
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLVerifyDepth 10
SSLCertificateFile /etc/ssl/froxlor-custom/anzahcraft.de.crt
SSLCertificateKeyFile /etc/ssl/froxlor-custom/anzahcraft.de.key
SSLCACertificateFile /etc/ssl/froxlor-custom/anzahcraft.de_CA.pem
SSLCertificateChainFile /etc/ssl/froxlor-custom/anzahcraft.de_chain.pem
SSLUseStapling on
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000"
</IfModule>
DocumentRoot "/var/customers/webs/Anzah/anzahcraft.de/"
SuexecUserGroup "USER" "USER"
<FilesMatch \.(php)$>
SetHandler proxy:unix:/var/lib/apache2/fastcgi/4-anzah-anzahcraft.de-php-fpm.socket|fcgi://localhost
</FilesMatch>
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
#Require all granted
AllowOverride All
Include custom.d/globalblacklist.conf
</Directory>
Alias /webalizer "/var/customers/webs/Anzah/webalizer/anzahcraft.de"
LogLevel warn
ErrorLog "/var/customers/logs/Anzah-anzahcraft.de-error.log"
CustomLog "/dev/null" combined
<Location />
GeoIPEnable On
# https://dev.maxmind.com/geoip/legacy/codes/iso3166/
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry
Deny from env=DenyCountry
</Location>
</VirtualHost>Hang on !!!
Just try this on your directory block (without require all granted)
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
Include /etc/apache2/custom.d/globalblacklist.conf
AllowOverride All
Options FollowSymLinks
</Directory>This vhost config example (below), will work on any single Apache 2.4 config you can throw it at. Unless its been broken completely by one single <RequireAll> or <RequireAny> or require all granted in the wrong place. Remember I told you, just one of these in the wrong place will break the blocker and it will also break ALL of Apcahe's security rules.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
# ------------
# VHOST BASICS
# ------------
ServerName whatever.com
ServerAdmin webmaster@whatever.com
RewriteEngine On
DocumentRoot /var/www/html
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# ------------
# SSL SETTINGS
# ------------
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/whatever.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/whatever.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/whatever.com/chain.pem
<Directory "/var/www/html">
SSLOptions +StdEnvVars
</Directory>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# --------------------
# MAIN DIRECTORY BLOCK
# --------------------
<Directory "/var/www/html">
Include /etc/apache2/custom.d/globalblacklist.conf
AllowOverride All
Options FollowSymLinks
</Directory>
# ----------------
# COUNTRY BLOCKING
# ----------------
<Location />
GeoIPEnable On
# https://dev.maxmind.com/geoip/legacy/codes/iso3166/
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry
Deny from env=DenyCountry
</Location>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noetAnd here's my apache2.conf used on a live server and in all tests.
# Global configuration
#ServerRoot "/etc/apache2"
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
might it have something to do with the SuexecUserGroup?
and i have removed all <RequireAll> from my system
mitchellkrogza
commented
5 years ago Possible depends on what has been done to it ??? Take the above apache2.conf and vhost config and throw it onto a bare Apache 2.4 with the blocker files in place, it will work instantly.
mitchellkrogza
commented
5 years ago Disable suexec module and you will quickly find out, for what reason exactly is suexec being used?
mitchellkrogza
commented
5 years ago And compare again what modules you have enabled versus what I posted earlier in this thread.
Tealk
commented
5 years ago Disable suexec module and you will quickly find out, for what reason exactly is suexec being used?
if i deactivate this i can't even start apache because all vhost of froxlor are using it
mitchellkrogza
commented
5 years ago Then you can't disable it. Not sure for what purpose it is activated you're not running any CGI? But they must have a reason.
I still do not think that is your problem at all, there is one line / block somewhere that is breaking everything
Take my apache.conf and sample vhost and test it
mitchellkrogza
commented
5 years ago Did you follow my example and try without the require all granted ?
Tealk
commented
5 years ago if i use your example configs i don't have access to the website because of an ssl error, i couldn't find out exactly where the problem is yet.
So if I set it up that way, it won't have any effect.
# 35_froxlor_ssl_vhost_anzahcraft.de.conf
# Created 23.08.2019 12:20
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
# Domain ID: 23 (SSL) - CustomerID: 1 - CustomerLogin: Anzah
<VirtualHost 185.170.112.156:443 [2a03:4000:15:68f::b9aa:709c]:443>
ServerName anzahcraft.de
ServerAlias www.anzahcraft.de
ServerAdmin
SSLEngine On
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
Protocols h2 http/1.1
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLVerifyDepth 10
SSLCertificateFile /etc/ssl/froxlor-custom/anzahcraft.de.crt
SSLCertificateKeyFile /etc/ssl/froxlor-custom/anzahcraft.de.key
SSLCACertificateFile /etc/ssl/froxlor-custom/anzahcraft.de_CA.pem
SSLCertificateChainFile /etc/ssl/froxlor-custom/anzahcraft.de_chain.pem
SSLUseStapling on
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000"
</IfModule>
DocumentRoot "/var/customers/webs/Anzah/anzahcraft.de/"
SuexecUserGroup "" ""
<FilesMatch \.(php)$>
SetHandler proxy:unix:/var/lib/apache2/fastcgi/4-anzah-anzahcraft.de-php-fpm.socket|fcgi://localhost
</FilesMatch>
<Directory "/var/customers/webs/Anzah/anzahcraft.de/">
Include /etc/apache2/custom.d/globalblacklist.conf
AllowOverride All
</Directory>
Alias /webalizer "/var/customers/webs/Anzah/webalizer/anzahcraft.de"
LogLevel warn
ErrorLog "/var/customers/logs/Anzah-anzahcraft.de-error.log"
CustomLog "/dev/null" combined
<Location />
GeoIPEnable On
# https://dev.maxmind.com/geoip/legacy/codes/iso3166/
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry
Deny from env=DenyCountry
</Location>
</VirtualHost>
JialuZhang
commented
3 years ago @mitchellkrogza
In your posted configuration,
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
# ------------
# VHOST BASICS
# ------------
ServerName whatever.com
ServerAdmin webmaster@whatever.com
RewriteEngine On
DocumentRoot /var/www/html
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# ------------
# SSL SETTINGS
# ------------
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/whatever.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/whatever.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/whatever.com/chain.pem
<Directory "/var/www/html">
SSLOptions +StdEnvVars
</Directory>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# --------------------
# MAIN DIRECTORY BLOCK
# --------------------
<Directory "/var/www/html">
Include /etc/apache2/custom.d/globalblacklist.conf
AllowOverride All
Options FollowSymLinks
</Directory>
# ----------------
# COUNTRY BLOCKING
# ----------------
<Location />
GeoIPEnable On
# https://dev.maxmind.com/geoip/legacy/codes/iso3166/
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KR DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE KP DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE RO DenyCountry
Deny from env=DenyCountry
</Location>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noetthe line "RewriteEngine On“ is a silent misconfiguration. This means adding it to your system will not change any system behavior. "RewriteEngine On" is introduced by Apache to explicitly enable all "RewriteRule" and "RewriteCond". That is to say, unless you include multiple "RewriteRule" and "RewriteCond" parameters in your configuration, then leaving off "RewriteEngine" is a better choice.
More importantly, the default value of “RewriteEngine" is already an "off", so from a security side, deleting “RewriteEngine On” would be ideal.
The related Apache source code snippet:
run_rewritemap_programs(server_rec *s , apr_pool_t *p){
if (conf->state == ENGINE_DISABLED) { // usage of "RewriteEngine"
return APR_SUCCESS; // early return
rewritemap_program(...); // usage of "RewriteRule"
}
Describe the problem you are experiencing If i try to load the config i get the following error:
Server (please complete the following information):