Apache Friends Support Forum

[hartings]

Guys, I run a webserver and an emailserver on the same server hardware. I have a running server ("server1"), which needs to be replaced by a newer version ("server"). My httpd webserver is listening on port 80/443(secure) and the mailserver Surgemail on port 7080/7443(secure).
The old server runs httpd 2.4.37-43 and the new one 2.4.51-7. Both have LetsEncrypt working certificates and redirect http requests to https. http://mydomain.se is nicely transferred to https://mydomain.se on BOTH servers:

Code: Select all

<VirtualHost *:80>
    ServerName mydomain.se
    Redirect / https://mydomain.se/
    ServerAlias www.mydomain.se
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydomain.se [OR]
RewriteCond %{SERVER_NAME} =mydomain.se
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Include /etc/httpd/conf/httpd-le-ssl.conf


The old server has these lines in httpd.conf, to be able to run mailserver through port 80:

Code: Select all

ProxyPass /webmail/ http://mydomain.se:7080/surgeweb
ProxyPassReverse /webmail/ http://mydomain.se:7080/surgeweb


All webmail requests on the old server on https://mydomain.se/webmail are redirected to https://mydomain.se/surgeweb, which triggers the secure emailserver webversion. Works very well and has done so for many years. The folder webmail exists on both systems in /var/www/html.
surgeweb is the Surgemail command to trigger the webversion of the emailserver which listens on secure port 7443.

On my new server, I have the same ProxyPass/ProxyReverse lines in httpd.conf, but it doesn't send the webmail requests to the emailserver or it cannot handle them:

When I write in the browser on the new server:
- https://mydomain.se/webmail it says: "Service unavailable - The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. But the server is upp and running.
- http://mydomain.se:7080/surgeweb, the mailserver shows its pages, but warns that the site is not secure, which is correct.
- https://mydomain.se:7443/surgeweb , the mailserver replies as it should and the site is secure.

As the httpd.conf files are identical on both servers, I don't understand why it doesn't work on the new server.

I tried to use different alternative lines:

Code: Select all

[code]
ProxyPass /webmail/ https://mydomain.se:7443/surgeweb
ProxyPassReverse /webmail/ https://mydomain.se:7443/surgeweb
[/code]

And " /webmail " instead of " /webmail/ "

None of them work on the new server.
I checked that the modules being loaded are identical - mod_proxy is among them.

What do I have to do to get requests for https://mydomain.se/webmail to be redirected to https://mydomain.se/surgeweb ??
Any hints are very welcome!!

Thanks for reading!

[Nobbie]

What is mydomain.se? You probably have a declaration in the hosts file of the old server, but forgot to overtake it to the hosts file of the new server. So the new server cannot resolve the IP for mydomain.se

[hartings]

Sorry. Just wanted to be a bit more "general" in my question.
mydomain.se is just a symbolic name in this specific post, replacing my website real name
The hosts file contains of course the right domain name and the IP number so it resolves perfectly. My website shows without any problem on both servers, which are intended to be copies of each other, as the old server needs to be replaced by the new one.

[hartings]

Found a solution - But it doesn't explain why the servers behave differently. Anyhow, there is a solution!

Add in
<VirtualHost _default_:443>
...
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/webmail [NC]
RewriteRule ^ https://mydomain.se:7443/surgeweb [NE,L]
....
</VirtualHost>

[Nobbie]

Actually, i dont get it at all. Why does Server1 "https://mydomain.se/webmail are redirected to https://mydomain.se/surgeweb"?? There is no configuration line for that.

To analyze it, https://mydomain.se/webmail is identically to https://mydomain.se:443/webmail
And next, https://mydomain.se/surgeweb is identically to https://mydomain.se:443/surgeweb

I dont see any redirect, neither any ProxyPass, which redirects on 443 from webmail to surgeweb. Nothing.

I assume (i can only puzzle around) that there is also a .htaccess file or similar which does the necessary redirect. There is no redirect in Server1. Only in Server2 (the new lines you added in the VirtualHost *:443). For me, it looks very strange that Server1 is running flawlessly, as there is definately missing a proper redirect.

P.S.: The ProxyPass in httpd.conf (which is NOT in the context of a VirtualHost) also looks very suspicously:

Code: Select all

ProxyPass /webmail/ http://mydomain.se:7080/surgeweb
ProxyPassReverse /webmail/ http://mydomain.se:7080/surgeweb

Assume, you enter https://mydomain.se/webmail into the browser, the unconditional ProxyPass passes from the SSL context https://mydomain.se/webmail to the non-SSL Server http://mydomain.se:7080/surgeweb - OUCH!! That is brutal and i cant believe it is working correctly. You then have a Redirect on Port 80 (which is never used in your setup), which redirects to https://mydomain.se (on Port 443). I really wonder, how Server1 could run correctly.

Last not least, the VirtualHost *:80 is a mess:

Code: Select all

    ServerName mydomain.se
    Redirect / https://mydomain.se/
    ServerAlias www.mydomain.se
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.mydomain.se [OR]
RewriteCond %{SERVER_NAME} =mydomain.se
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

There is an unconditional Redirect from / to https://mydomain.se/, followed by semantically the same Redirect again(!), this time using the URL Rewriting. Why?? You can delete all 4 lines of the RewriteEngine, that is useless. Anyway, already the RewriteCond ServerName = www.mydomain.se or mydomain.se is ALWAYS true, as you are in the VirtualHost context of just these ServerNames (and ServerAlias). Actually, that configuration is a pain, who did that? Its a miracle, that you got it running.

[hartings]

Thanks for reading commenting.
Let me explain:

To analyze it, https://mydomain.se/webmail is identically to https://mydomain.se:443/webmail/quote]
Correct.

And next, https://mydomain.se/surgeweb is identically to https://mydomain.se:443/surgeweb

Correct, BUT this is not what I am doing. The redirect is to my surgemail mailserver, which listens on port 7443, not on 443

Port 80/443 are for my webserver, port 7080/7443 for my mailserver.
The VirtualHost *:80 section at the bottom of htpd.conf is to create a VirtualHost *:443 to be able to create the LetsEncrypt certificate for my webserver.
It just transfers the webserver to a secure one, from port 80 to 443.

Assume, you enter https://mydomain.se/webmail into the browser, the unconditional ProxyPass passes from the SSL context https://mydomain.se/webmail to the non-SSL Server http://mydomain.se:7080/surgeweb - OUCH!! That is brutal and i cant believe it is working correctly. You then have a Redirect on Port 80 (which is never used in your setup), which redirects to https://mydomain.se (on Port 443). I really wonder, how Server1 could run correctly.

I couldn't agree more.... I don't understand it either. That server was configured 8 years ago, and I didn't want to touch this production server as it was working, don't ask me how though!

On the new server I have deleted ALL ProxyPass/ProxyPassRevers lines, as the jump from non-secure to secure is, as you correctly pointed out, not OK!

Instead I use in the VirtualHost *.443 section of ssl.conf:

<VirtualHost _default_:443>
...
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/webmail [NC]
RewriteRule ^ https://mydomain.se:7443/surgeweb [NE,L]
....
</VirtualHost>

"surgeweb" is a command to trigger the web based part of the mailserver.

This makes that the secure webserver directory "webmail" , which is empty, and only there to enable to jump from the secure environment of the webserver (with its own certificates), to the secure mailserver on port 7443 (with it a different certificate). So when you write in the browser https://mydomain.se/webmail , the user is redirected to the mailserver (port 7443) from the webserver (port 443).
That's it. Any other indicated webpages or folders in the browser will remain within the secure webserver.

Sorry if I didn't explain it more clearly!

[Nobbie]

Correct, BUT this is not what I am doing.

Of course it is, you say this:

"https://mydomain.se/webmail to be redirected to https://mydomain.se/surgeweb"

When you do not enter the Port in the URL, the Port is 443 for SSL. No matter, what you configured in the server setup and no matter, which redirects you configure. It does not matter, where the server is listening, it matters only, which URL you use (either as link or entered in the browser). Your description does NOT match the configuration.

So when you write in the browser https://mydomain.se/webmail , the user is redirected to the mailserver (port 7443) from the webserver (port 443).

No - its not! Where is the corresponding redirect? There is no (in Server1).

[hartings]

Of course it is, you say this:

"https://mydomain.se/webmail to be redirected to https://mydomain.se/surgeweb"

Stricktly speaking you are correct. This is not what is happening. I am "translating/forwarding" (you might know the correct wording):
https://mydomain.se/webmail to https://mydomain.se:7443/surgeweb
It's not using the "Redirect" statement but the "rewrite" statement.

This works perfectly.
Only when I use https://mydomain.se/webmail , the address is translated to a command to use the secure mail servers port.
All other addresses https://my domain.se/xxxx remain on the secure web server.

As said, I don't bother about the old server ("server1") as this will be replaced anyhow. I will take a look at that one when the shift is done. For now, I only focus on the new server ("server").
Thanks again for reading my post.