KloxoMR https not working after update

[chrisf]

I can not reach kloxoMR on https after latest update.  Http:7778 works, https:7777 times out.

?

[MRatWork]

I found something wrong with https for website in hiawatha but running well for panel.

Look like something wrong 'code' related to polarssl.

[chrisf]

Nothing wrong with polarssl, it was your config.  I have reported numerous times that hiawatha config is much different than apache.  I have ssl working great on our main site, hiawatha.

I fixed the panel as well, it is now working.

Also, investigate how hiawatha uses its cert files, it is different than apache.  I have had to do ours manually and chattr +i them.

[MRatWork]

So, what's your config?.

[chrisf]

Hold on, will get it and post

First you MUST remove the RequiredCA directive,  this is not for .ca files as you think.  By turning this on (web) it will stop all connections to the webserver unless the browser provides this CA, this has nothing to do with SSL.

In hiawatha, .ca is appended to the .pem for SSL.

[chrisf]

This is our custom.hiawatha.conf.base:

Code: [Select]

# Hiawatha main configuration file
# Convictions Hosting Custom - September 9th

ServerString = Hiawatha_for_Kloxo-MR

ServerId = lxlabs
ConnectionsTotal = 2048
ConnectionsPerIP = 64
SystemLogfile = /usr/local/lxlabs/kloxo/log/hiawatha-system.log
GarbageLogfile = /usr/local/lxlabs/kloxo/log/hiawatha-garbage.log

MaxUrlLength = 65536

PIDfile = /usr/local/lxlabs/kloxo/init/kloxo-hiawatha.pid

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes

ThreadPoolSize = 50

#CGIhandler = /opt/php53s/usr/bin/php-cgi:php
#ExecuteCGI = yes
WaitForCGI = yes

FastCGIserver {
        FastCGIid = PHP5
        #ConnectTo = 127.0.0.1:39000
        ConnectTo = /usr/local/lxlabs/kloxo/init/kloxo-phpcgi.sock
        Extension = php
}

MimetypeConfig = hiawatha-mimetype.conf

UrlToolkit {
    ToolkitID = findindexfile
    Match ^([^?]*)/(\?.*)?$ Rewrite $1/index.php$2 Continue
    RequestURI isfile Return
    Match ^([^?]*)/index\.php(\?.*)?$ Rewrite $1/index.html$2 Continue
    RequestURI isfile Return
    Match ^([^?]*)/index\.html(\?.*)?$ Rewrite $1/index.htm$2 Continue
    RequestURI isfile Return
    Match ^([^?]*)/index\.htm(\?.*)?$ Rewrite $1/$2 Continue
}

UrlToolkit {
    ToolkitID = expire_needed
    Match .*\.jpg$ Expire 1 weeks
    Match .*\.png$ Expire 1 weeks
    Match .*\.gif$ Expire 1 weeks
    Match .*\.css$ Expire 1 weeks
    Match .*\.js$ Expire 1 weeks
    Match .*\.gif$ Expire 1 weeks
    Match .*\.eot$ Expire 1 weeks
    Match .*\.svg$ Expire 1 weeks
    Match .*\.ttf$ Expire 1 weeks
    Match .*\.ico$ Expire 1 weeks
}

Binding {
        BindingId = port_nonssl
        Port = __nonssl_port__
        #Interface = 0.0.0.0
        MaxKeepAlive = 200
        TimeForRequest = 8,25
        MaxRequestSize = 102400
        ## not able more than 100MB; hiawatha-9.3-2 able until 2GB
        MaxUploadSize = 2000
}

Binding {
        BindingId = port_ssl
        Port = __ssl_port__
        #Interface = 0.0.0.0
        MaxKeepAlive = 200
        TimeForRequest = 8,25
        MaxRequestSize = 102400
        ## not able more than 100MB; hiawatha-9.3-2 able until 2GB
        MaxUploadSize = 2000
        #RequiredCA = /usr/local/lxlabs/kloxo/etc/program.ca
        SSLcertFile = /usr/local/lxlabs/kloxo/etc/program.pem
}

## CF - no need for Virtual Host, all default to this:
Hostname = 0.0.0.0
WebsiteRoot = /usr/local/lxlabs/kloxo/httpdocs
StartFile = index.php
AccessLogfile = /usr/local/lxlabs/kloxo/log/hiawatha-access.log
ErrorLogfile = /usr/local/lxlabs/kloxo/log/hiawatha-error.log
SecureURL = no
UseFastCGI = PHP5
UseToolkit = findindexfile, expire_needed
TimeForCGI = 3600
ErrorHandler = 401:/error/401.html
ErrorHandler = 403:/error/403.html
#ErrorHandler = 404:/error/404.html
ErrorHandler = 404:/theme/lbin/sitepreview.php
ErrorHandler = 501:/error/501.html
ErrorHandler = 503:/error/503.html

Comments:
No need declare virtual host, all go to the default.  This stops all wigwam errors.
Values for maxkeepalive and timeforrequest are now within the proper range.
secureurl = no to stop phpmyadmin sort errors

You need to add the requiredssl directive if the option to force ssl for the panel is checked

[MRatWork]

Hi, nothing problem with hiawatha for panel but for website.

So, access to panel via https (port 7777) running well. The problem is access to website via https (port 443).

[chrisf]

no, it doesn't work with your current hiawatha.conf.base.  if I delete custom. file and restart. KloxoMR will not respond on port 7777 https, will on http 7778.  This is because in new hiawatha.conf.base you declare SSL under the virtual host, instead of under the binding.

The website issue is due to you defining the SSL under the virtual host.  Since we use dedicated ip's, we are not seeing the problem you are having.  But when you define the SSL inside of the virtual host hiawatha uses its SNI capabilities.

More on SNI:
http://www.networking4all.com/en/ssl+certificates/faq/server+name+indication/

Defining under binding doesn't require SNI, and causes a warning to display in the browser (not trusted, self signed, etc), instead of timeout.  You can declare a binding for a cert, then attach it to a virtual domain.  As I said, it is much different than apache.  As long as you don't define a interface, you can just have a binding for each website that uses it, and require that binding to be used. (For SSL)

[MRatWork]

Latest version already fix this issue. But, 'MinSSLversion' still not work.