How are you viewing the access.log and error.log so I can confirm I can block it?

Thanks,

doug

Thanks. I'll check about blocking those.

doug

I hate to contradict people who know more about Linux than myself but if they said it was fine and OK to serve HTTP (and not HTTPS) on port 443 they were wrong.

Perhaps so. I'm discussing it with them again.

Thanks,

doug

To be more precise: You can serve HTTP on any port if you want, but in 99.999% of cases you'll want to be serving HTTPS on port 443 because that's what the rest of the world expects.

Kinda like how your car will physically be able to drive the wrong way on the highway, but people might be surprised if they come across you.

Well, for some reason all the things Support asked me to try didn't work, and the directories were still exposed via port 443. We closed all the Listening to 443 in all the Apache configuration files, but it didn't seem to make a difference.

But I just tried this myself and it seems to have worked, and is not adversely affecting my PHP API to LinkedIn:

1. I edited /etc/iptables.firewall.rules

2. I commented out the line

-A INPUT -p tcp --dport 443 -j ACCEPT

3. I ran the following command:

iptables-restore < /etc/iptables.firewall.rules

That seems to have worked. I believe you cannot get to the log files or see the index via 443 now. Anybody feel like confirming?

I think instead of commenting out the ACCEPT line I could have just changed ACCEPT to DROP. Would that have been preferable?

Thanks,

doug

apache2ctl -S

- Les

Sorry. Can you tell me what you are asking me to do? Are you saying to use that command instead of what I did with the IP tables? Or in addition to what I've already done?

Thanks,

doug

I asked for the output of that command at the beginning of this adventure, and I'm asking for it again now.

Blocking port 443 at iptables is a bandaid over the real problem, and if there's ever an issue that prevents the firewall rules from loading in the future or negates that rule, your misconfigured virtualhost will be exposed again.

- Les

I see. Sorry, I did not notice your previous request. Here is the output of that command:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 176.58.126.189. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 eldisodi.webcrossing.com (/etc/apache2/sites-enabled/eldisodi.webcrossing.com.conf:4)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

And you've restarted Apache since changing your configs? What's in /etc/apache2/sites-enabled/eldisodi.webcrossing.com.conf ? Also /etc/apache2/ports.conf?

Yes, after changing config files I always run

service apache2 start

Here are the other contents.

/etc/apache2/sites-enabled/eldisodi.webcrossing.com.conf

# domain: example.com
# public: /var/www/example.com/public_html/

<VirtualHost *:80>
# Admin email, Server Name (domain name), and any aliases
ServerAdmin doug@elliptics.com
ServerName eldisodi.webcrossing.com
ServerAlias eldisodi.webcrossing.com

# Index file and Document Root (where the public files are located)
DirectoryIndex index.html index.php
DocumentRoot /var/www/eldisodi.webcrossing.com/public_html
# Log file locations
LogLevel warn
ErrorLog /var/www/eldisodi.webcrossing.com/log/error.log
CustomLog /var/www/eldisodi.webcrossing.com/log/access.log combined
Options -Indexes
</VirtualHost>

/etc/apache2/ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
# Listen 443
</IfModule>

<IfModule mod_gnutls.c>
# Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

You realize, of course, that "service apache2 start" starts apache2, it doesn't restart it?

You want "service apache2 restart".

- Les

Actually, I did not realize that. Let me try and undo the IP table thing and try the restart.

(pause to try)

I just did the following:

1. I edited vi /etc/iptables.firewall.rules and restored it to its original configuration, where there is a line

-A INPUT -p tcp --dport 443 -j ACCEPT

in it and ran

iptables-restore < /etc/iptables.firewall.rules

Immediately after doing that I could see the directory with a 443 connection again.

2. I ran

service apache2 restart

Immediately after that I got a failure to connect with a 443 connection.

And my PHP API is still working on port 80.

Thank you very much. I'm very grateful. I'm sorry for any confusion I caused by my inexperience with this.

I guess this seems ok now, right?

Regards,

doug