Proper stub for HTTP vhosts in Apache

dviktor · 2019-10-23 15:22:42

Hello. I wonder if my current setup is safe enough for production server.

I have a bunch of VirtualHosts on my Apache server. Every domain has SSL Cert installed so I wish to force my visitors to go via https:// scheme. As for now I have the following solution:

# Plain virtual host
<VirtualHost *:80>
    ServerName hostname.example.com
    ServerAdmin admin@example.com

    Protocols h2 http/1.1

    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

    ErrorLog "/var/log/httpd/hostname.example.com_error.log"
    CustomLog "/var/log/httpd/hostname.example.com_access.log" combined
    LogLevel warn
</VirtualHost>

# SSL virtual host
<VirtualHost *:443>
    ServerName hostname.example.com:443
    ServerAdmin admin@example.com

    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=63072000"

    DocumentRoot "/srv/http/html"

    <Directory "/srv/http/html">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    ErrorLog "/var/log/httpd/hostname.example.com_error.log"
    CustomLog "/var/log/httpd/hostname.example.com_access.log" combined
    LogLevel warn

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile "/etc/letsencrypt/live/hostname/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/hostname/privkey.pem"
</VirtualHost>

The same is true for remaining HTTP/HTTPS VHosts. As it can be seen I have no DocumentRoot defined for plain HTTP hosts and I force redirect to HTTPS via mod_rewrite. I wish to know if this practice considered secure and what possible side-effects could arise without setting DocumentRoot.

Also to eliminate all unwanted requests to my hosts except explicitly listed virtual hosts I use the following in main httpd config file:

# Default host
ServerName localhost
ServerAdmin admin@example.com

ErrorLog "/var/log/httpd/main_error.log"
CustomLog "/var/log/httpd/main_access.log" combined
LogLevel warn

Are there any pitfalls of using this approach? Should I explicitly define DocumentRoot for default host and forbid access to it? Can I be sure that all other requests (e. g. by IP address or by another DNS name mapped to this IP) will be ignored by Apache? As for now it seems like there are no traces in logs after I visit my server by IP address...

Last edited by dviktor (2019-10-23 15:24:35)

Trilby · 2019-10-23 16:28:17

I've never used rewrites for this, it seems redirects are more often advised:

<VirtualHost *:80> 
ServerName whatever.com
Redirect permanent / https://whatever.com 
</VirtualHost>

That said, if you are still setting it up, you may want to consider nginx. I used to use apache and felt pretty comfortable with having multiple sites on the same server all with https. But once I switched to nginx I realized how it could be *sooo* much simpler.

dviktor · 2019-10-23 16:54:35

I've written my config with relying on Mozilla SSL advisor tool. I'll take a look at nginx eventually but right now I'm constrained in time and just want to be sure about possible pitfalls. Anyway, thanks for the answer

Arch Linux

#1 2019-10-23 15:22:42

Proper stub for HTTP vhosts in Apache

#2 2019-10-23 16:28:17

Re: Proper stub for HTTP vhosts in Apache

#3 2019-10-23 16:54:35

Re: Proper stub for HTTP vhosts in Apache

Board footer