Project

General

Profile

[Solved] SSL enabled on non-SSL port

Added by SmallandUnimportant about 1 month ago

Greetings,

I am doing a complex-ish multi-subdomain set of sites on lighttpd 1.4.64 on NetBSD 9

server.modules = (
  "mod_rewrite",
  "mod_access",
  "mod_fastcgi",
  "mod_deflate",
  "mod_proxy",
  "mod_redirect",
  "mod_setenv",
  "mod_openssl",
)

from modules.conf

lighttpd.conf (scrubbed my "hostname" domain)

var.log_root    = "/var/log/lighttpd" 
var.server_root = "/srv/http" 
var.state_dir   = "/var/run" 
var.home_dir    = "/var/lib/lighttpd" 
var.conf_dir    = "/usr/pkg/etc/lighttpd" 

var.vhosts_dir  = server_root

var.cache_dir   = "/var/cache/lighttpd" 

var.socket_dir  = home_dir + "/sockets" 

include conf_dir + "/modules.conf" 

server.port = 80

server.use-ipv6 = "disable" 

server.username  = "lighttpd" 
server.groupname = "www" 

server.document-root ="/srv/http/server.generic.net/public" 

deflate.mimetypes = ("text/html", "text/plain", "text/css", "text/javascript", "text/xml")
deflate.allowed-encodings = ( "br", "gzip", "deflate" ) # "bzip2" and "zstd" also supported

server.pid-file = state_dir + "/lighttpd.pid" 

server.errorlog             = log_root + "/error.log" 

include conf_dir + "/conf.d/access_log.conf" 

include conf_dir + "/conf.d/debug.conf" 

server.event-handler = "kqueue" 

server.max-fds = 16384

server.max-request-size = 125000

index-file.names += (
  "index.xhtml", "index.html", "index.htm", "default.htm", "index.php" 
)

url.access-deny             = ( "~", ".inc" )

static-file.exclude-extensions = ( ".php" )

include conf_dir + "/conf.d/mime.conf" 

include conf_dir + "/conf.d/dirlisting.conf" 

include conf_dir + "/vhosts.d/*" 

with no SSL active. For SSL I just slotted in these lines:

ssl.engine = "enable" 
ssl.privkey= "/usr/pkg/etc/ssl/(PATH REDACTED)"
ssl.pemfile= "/usr/pkg/etc/ssl/(PATH REDACTED)"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.1")

All vhosts are ran by the same wildcard ssl (they're all subdomains)

Three main issues erupt:

1. My sites stop loading over HTTP. I am not changing vhost configs. They come back with "Empty Response" consistently.
2. Even adding an SSL config, it won't load over SSL either! Some are static data, some are PHP stuff. Config examples below.
3. no indication of a syntax issue or other log issue is seen.

Examples:

just an rspamd proxy, it works on HTTP just fine.

$HTTP["host"] =~ "all.generic.net$" {
  server.document-root = "/srv/http/all.generic.net/public" 
  $HTTP["url"] =~ "^/rspamd/" {
    proxy.server = ( "" => ( ( "host" => "localhost", "port" => "11334" ) ) )
    proxy.header = ("map-urlpath" => ( "/rspamd/" => "/"))
    setenv.add-response-header = ( "X-Forwarded-For" => "" )
    }

  }
}

$SERVER["socket"] == ":443" {
$HTTP["host"] =~ "all.generic.net$" {
  server.document-root = "/srv/http/all.generic.net/public" 
  $HTTP["url"] =~ "^/rspamd/" {
    proxy.server = ( "" => ( ( "host" => "localhost", "port" => "11334" ) ) )
    proxy.header = ("map-urlpath" => ( "/rspamd/" => "/"))
    setenv.add-response-header = ( "X-Forwarded-For" => "" )
    }

  }
}

Another:

A MyBB config

$SERVER["socket"] == ":80" {
$HTTP["host"] =~ "forums.generic.net$" {
  server.document-root = "/srv/http/forums.generic.net/public" 
  fastcgi.server = ( ".php" =>
    (
      ( "socket" => "/var/run/php/php-fpm.sock",
        "check-local" => "disable",
        "broken-scriptfilename" => "enable" 
      )
    )
  )
  url.rewrite = (
    "^/forum-([0-9]+)\.html(\?(.*)|)$" => "/forumdisplay.php?fid=$1&$3",
    "^/forum-([0-9]+)-page-([0-9]+)\.html(\?(.*)|)$" => "/forumdisplay.php?fid=$1&page=$2&$4",
    "^/thread-([0-9]+)\.html(\?(.*)|)$" => "/showthread.php?tid=$1&$3",
    "^/thread-([0-9]+)-page-([0-9]+)\.html(\?(.*)|)$" => "/showthread.php?tid=$1&page=$2&$4",
    "^/thread-([0-9]+)-lastpost\.html(\?(.*)|)$" => "/showthread.php?tid=$1&action=lastpost&$3",
    "^/thread-([0-9]+)-nextnewest\.html(\?(.*)|)$" => "/showthread.php?tid=$1&action=nextnewest&$3",
    "^/thread-([0-9]+)-nextoldest\.html(\?(.*)|)$" => "/showthread.php?tid=$1&action=nextoldest&$3",
    "^/thread-([0-9]+)-newpost\.html(\?(.*)|)$" => "/showthread.php?tid=$1&action=newpost&$3",
    "^/thread-([0-9]+)-post-([0-9]+)\.html(\?(.*)|)$" => "/showthread.php?tid=$1&pid=$2&$4",

    "^/post-([0-9]+)\.html(\?(.*)|)$" => "/showthread.php?pid=$1&$3",

    "^/announcement-([0-9]+)\.html(\?(.*)|)$" => "/announcements.php?aid=$1&$3",

    "^/user-([0-9]+)\.html(\?(.*)|)$" => "/member.php?action=profile&uid=$1&$3",
  )
  static-file.exclude-extensions = ( ".php" )
  }
}

$SERVER["socket"] == ":443" {
$HTTP["host"] =~ "forums.generic.net$" {
  server.document-root = "/srv/http/forums.generic.net/public" 
  fastcgi.server = ( ".php" =>
    (
      ( "socket" => "/var/run/php/php-fpm.sock",
        "check-local" => "disable",
        "broken-scriptfilename" => "enable" 
      )
    )
  )
  url.rewrite = (
    "^/forum-([0-9]+)\.html(\?(.*)|)$" => "/forumdisplay.php?fid=$1&$3",
    "^/forum-([0-9]+)-page-([0-9]+)\.html(\?(.*)|)$" => "/forumdisplay.php?fid=$1&page=$2&$4",
    "^/thread-([0-9]+)\.html(\?(.*)|)$" => "/showthread.php?tid=$1&$3",
    "^/thread-([0-9]+)-page-([0-9]+)\.html(\?(.*)|)$" => "/showthread.php?tid=$1&page=$2&$4",
    "^/thread-([0-9]+)-lastpost\.html(\?(.*)|)$" => "/showthread.php?tid=$1&action=lastpost&$3",
    "^/thread-([0-9]+)-nextnewest\.html(\?(.*)|)$" => "/showthread.php?tid=$1&action=nextnewest&$3",
    "^/thread-([0-9]+)-nextoldest\.html(\?(.*)|)$" => "/showthread.php?tid=$1&action=nextoldest&$3",
    "^/thread-([0-9]+)-newpost\.html(\?(.*)|)$" => "/showthread.php?tid=$1&action=newpost&$3",
    "^/thread-([0-9]+)-post-([0-9]+)\.html(\?(.*)|)$" => "/showthread.php?tid=$1&pid=$2&$4",

    "^/post-([0-9]+)\.html(\?(.*)|)$" => "/showthread.php?pid=$1&$3",

    "^/announcement-([0-9]+)\.html(\?(.*)|)$" => "/announcements.php?aid=$1&$3",

    "^/user-([0-9]+)\.html(\?(.*)|)$" => "/member.php?action=profile&uid=$1&$3",
  )
  static-file.exclude-extensions = ( ".php" )
  }
}

So you may be asking why are things duped across both -- I cannot force SSL. Simply put, this is a niche project requiring plain HTTP as part of the criterion -- alternatives like load balancing or what-not aren't in the cards. Other webservers handle this, so there must be a way. either way, not important overly.

What am I doing wrong?

My goal is to have 5-7 different services all served by one webserver using my wildcard SSL, same IP. All must be SSL-agnostic, which is possible as I've done it.

Please do not just throw a page at me. I have already read relevant docs, bugs, dozens of configs, and it's not a lack of comprehension, I simply need someone who can spare a bit to get me on the right track.

Thanks, and I'm glad to be here!


Replies (5)

RE: Various SSL issues encountered - Added by gstrauss about 1 month ago

If you put ssl.engine = "enable" in the lighttpd.conf global scope and are using the default server.port = 80, then TLS is enabled on port 80, and you can use https://example.com:80/ (note the "https")

Since that does not appear to be what you want, I think you should move ssl.engine = "enable" into

$SERVER["socket"] == ":443" {
  ssl.engine = "enable" 
}

RE: Various SSL issues encountered - Added by SmallandUnimportant about 1 month ago

LAWL, so that's the issue?

Ok, so "guard it" around a $SERVER["socket"] == ":443" { } block should solve that? lemme try that

RE: Various SSL issues encountered - Added by SmallandUnimportant about 1 month ago

double reply, sorry, I tested it for the root. Worked. Will report back later if any lingering issues pop up.

RE: Various SSL issues encountered - Added by gstrauss about 1 month ago

FYI: $HTTP["host"] =~ "forums.generic.net$" { ... } blocks which are the same for all listening ports can be put in the global scope to avoid the need to duplicate them in your config inside each different $SERVER["socket"]

RE: Various SSL issues encountered - Added by SmallandUnimportant about 1 month ago

Looks to be solved. Easy. Sorry for being dumb!

    (1-5/5)