Hi, I'm trying to figure out why my Apache2 serves up my web page using https but not regular http. I verified that Apache is listening on 80 as well as 443, that I have an active DNS record in my Linode Manager, and that reverse DNS is setup as well.

The default virtual host in sites-available directory has a correct entry for document root setting. I have three files in sites-available:

default default-ssl laftechsecure.net

laftechsecure.net is the site I am trying to get up and running. I noticed earlier that default and default-ssl had the default /var/www entries for document root so I went ahead and changed those to the correct value and restarted Apache using:

sudo service apache2 restart

but still have the same problem. I also noticed that all of the directories under sites-available had become owned by root (I have a bad habit of doing things under root) and I was pretty sure they were owned by my user account earlier so I ran:

chown -R steve:steve sites-available

And just to straighten out any potential problems with permissions, I ran chmod 775 on these directories and re-ran chmod a+rx on my home directory and chmod -R a+rx ~/public (on the directory hosting my web files per Linode instructions).

And of course, I'm still having the same problem! So once again I turn to you good people. Please, can anyone point me in the right direction? Thanks.

Edit: The site that is working is https://www.laftechsecure.net

Site that is not working is http://www.laftechsecure.net (same site just standard http).

In case it may help, here is my conf for laftechsecure.net. Please let me know if you need any other files:

# domain: example.com
# public: /home/example_user/public/example.com/

<VirtualHost 198.58.111.161:443>
     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/www.laftechsecure.net.crt
     SSLCertificateKeyFile /etc/apache2/ssl/www.laftechsecure.net.key
     SSLCACertificateFile /etc/apache2/ssl/ca.txt

# SSLCACertificateFile /etc/apache2/ssl/positivessl.cer

     ServerAdmin webmaster@laftechsecure.net
     ServerName www.laftechsecure.net
     DocumentRoot /home/steve/public/laftechsecure.net/public
     ErrorLog /home/steve/public/laftechsecure.net/log/error.log
     CustomLog /home/steve/public/laftechsecure.net/log/access.log combined
</VirtualHost>

I see a VirtualHost for *.161:443, do you have one for *.161:80? Most http daemons require that you specify both if you want both.

_________________
Kris the Piki Geeker

Thanks, I thought that the file in sites-enabled was to configure for ssl and that ports.conf called regular http. I read that I could combine the two statements on one line and that it would be best to use asteriks instead of an ip address to resolve the hostname so I changed my first line to:

<VirtualHost *:80 *:443>

but when I tried connecting this way, I kept getting a generic Apache error about talking to an SSL site using plain text http.

I looked in ports.conf and there was no NameVirtualHost defined, just Listen 80 statement. So I fried placed the ip address however I kept get a warning: NameVirtualHost 198.58.111.161:80 has no VirtualHosts whenever I reload/restart Apache.

I went back into laftechsecure.net in sites-enabled and tried adding Listen 80 and Listen 443 but the webserver would fail to load. So I now I have the first line set to:

<VirtualHost 198.58.111.161:80 198.58.111.161:443>

and there are no errors but I'm still having the same problem.

I think you'll need to separate this into two VirtualHost definitions, one for your non-SSL site and another for your SSL site. The SSL VirtualHost should include the various SSL directives (SSLEngine, SSLCertificateFile, etc.), and the non-SSL VirtualHost should omit them.

Thanks, that did it. I created two separate definitions and when I first went to reload configuration I recieved 'NameVirtualHost *:80 has no VirtualHosts" error but everything was working. I commented out NameVirtualHost in ports.conf and now I no longer receive error.

Now I am just trying to include the CACertificate in the definition for *:80 for the SSL certificate I purchased. I know that it can't be used with the key for port 80 but I thought there was a way to have it show a kind of digital signature from the issuing agency I purchased it from.

Oh well, it's working fine for https and I plan on using my .htaccess file to have clients connect to https after receiving an http request. If I may ask, is this a "graceful" thing? Meaning if https is not possible for client then the client will just continue on http? Many thanks.

You have clients that can't do SSL? Are they using something that predates IE 5?

I'd just redirect all http requests to the equivalent https URL and not worry about gracefully handling clients that cannot support SSL (unless you have some very interesting clients).

If it's IE of any version, just ask them to switch to a more secure browser

AFAIK CA Certs are useless for a non-https connection, and I've never heard of having a digital signature for a website.

I agree with dcraig about redirecting http requests to https -- at the very least, for any sort of registration, login (and post-login), or form type deal. For anyting else, I think it useless to force https.

_________________
Kris the Piki Geeker

I see. I thought there was an option for users to disable SSL in the browser. I also plan on offering users an option to login using SSl but that is only for a part of the site where they can upload a file so it worked out well.

Digital signature was the wrong word but what I meant was something that verifies who you are, a la Verisign. I didn't realize these were Extended Evaluation certificates, which are far too expensive.

I agree, it is pretty useless to force normal pages to use SSL but part of my site deals with computer security so I thought it would look better to use https. I still plan on using .htaccess to force https but so far it's been harder than I thought to find a free php script that works. Oh well, I'll find one soon.