Discover Centmin Mod today
Register Now

Nginx SSL phpmyadmin main hostname HTTPS SSL: conflicting server name ignored

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by ndha, May 6, 2017.

  1. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Sorry for hijack thread :) ..
    but @eva2000 how about if i want to change hostname to use full SSL with Alphassl ??
    now only PMA is using self signed SSL but i want to use my Alphassl instead Self Signed..
    So all related url in hostname will be using SSL..
    Which config i must change in virtual.conf ??
    cause if i only add port 443 and SSL related conf in virtual.conf it shows same warning like above,
    Conflict domain 0.0.0.0:443, ignore. and can't reach hostname url with SSL..
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    right now you can't do that properly if you have phpmyadmin.sh addon (see post install step 7) installed as it sets up it's own HTTP/2 HTTPS based self-signed SSL main hostname vhost via /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf (which is where the port 443 hostname conflict is from):
    /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf has an include /usr/local/nginx/conf/phpmyadmin_https.conf file which only allows phpmyadmin auto and randomly generated install directory name to use HTTPS and redirects other requests back to non-HTTPS main /usr/local/nginx/conf/conf.d/virtual.conf nginx vhost via added return 302 redirect rule in /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf
    Code (Text):
    location / {
    return 302 http://\$server_name\$request_uri;
    }
    

    I think technically, it would be enough to remove this 302 redirect return HTTPS to HTTP rule in /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf to get the HTTPS vhost for main hostname working at /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf and then just replacing the ssl certificate, key and ssl trusted ssl cert paths with ones form your paid SSL certificate as outlined below

     
    • Like Like x 1
  3. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Hi @eva2000 ..
    I just tried it, but that's not enough to just remove that 302 redirects..
    1. i had tried to only remove that 302 redirects but still server name 443 conflict came up. Main Hostname and PMA url can be access fine, but php info page etc, show download box.
    2. i tried to edit phpmyadmin_ssl.conf server name using localhost. Main hostname url and all related url like PHP Info, Opcache Info, etc can be access using paid SSL. But PMA ssl url got too many redirects error.
    3. i tried to edit virtual.conf server name using localhost. PMA ssl url can be access fine without error. But when accessing all related url like PHP Info, Opcache Info, i can't open it instead it show download box.

    here is my virtual.conf for now :
    Code (Text):
    server {
            listen   80 default_server backlog=2048 reuseport;
            server_name domain.com;
            return 302 https://$server_name$request_uri;
    }
    
    server {
            listen 443 ssl http2;
            server_name name domain.com;
            root   html;
    
    All related SSL Conf and nginx Conf here..


    and here is my phpmyadmin_ssl.conf :
    Code (Text):
    server {
            listen 443 ssl http2;
            server_name localhost;
    #if i use domain.com it got conflict warning and can't open php info page.
    #but can access main hostname url dan PMA url.
            root   html;
    
    All related SSL Conf and PMA Conf here..


    I knew i missed something but where??
    maybe you can give me some lights :)
    thanks..
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    no do not setup https on virtual.conf - leave it as non-https as it originally was as https is already setup at phpmyadmin_ssl.conf
     
    • Like Like x 1
  5. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Nah, if i do just like you said, Main Hostname SSL and PMA url SSL is fine,
    but can't open/accessing PHP Info url or Opcache url instead it show download dialog.
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    make sure php.conf include file is enabled not commented out in virtual.conf

    post contents of virtual.conf and phpmyadmin_ssl.conf
     
  7. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Yes, it's include by default, only phpstatus,errorpage and vtsmainserver is not enabled.
     
  8. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Virtual .conf :
    Code (Text):
    server {
            listen   80 default_server backlog=2048 reuseport;
            server_name domain.com;
            return 302 https://$server_name$request_uri;
            root   html;
    
            access_log              /var/log/nginx/localhost.access.log     main_ext buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #        Enables directory listings when index file not found
    #       autoindex  on;
    
    #       Shows file listing times as local time
    #       autoindex_localtime on;
    
    #       Enable for vBulletin usage WITHOUT vbSEO installed
    #       try_files       $uri $uri/ /index.php;
               
                }
    
            # example nginx-http-concat
            # /csstest/??one.css,two.css
            #location /csstest {
            #concat on;
            #concat_max_files 20;
            #}
    
    include /usr/local/nginx/conf/phpmyadmin.conf;
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/cinfo.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/redisadmin.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }

    phpmyadmin_ssl.conf :
    Code (Text):
    server {
            listen 443 ssl http2;
            server_name domain.com;
            root   html;
    
    keepalive_timeout  3000;
    
     client_body_buffer_size 256k;
     client_body_timeout 3000s;
     client_header_buffer_size 256k;
     client_header_timeout  60s;
     client_max_body_size 512m;
     connection_pool_size  512;
     directio  512m;
     ignore_invalid_headers on;
     large_client_header_buffers 8 256k;
    
            ssl_certificate      /usr/local/nginx/conf/ssl/host/domain.com.alphassl.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/host/domain.com.alphassl.key;
            ssl_dhparam /usr/local/nginx/conf/ssl/host/dhparam.pem;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:10m;
            ssl_session_timeout  60m;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
            ssl_prefer_server_ciphers   on;
            add_header Alternate-Protocol  443:npn-spdy/3;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-Xss-Protection "1; mode=block" always;
            ssl_buffer_size 1400;
            ssl_session_tickets on;
    
            ssl_stapling on;
            ssl_stapling_verify on;
            resolver 8.8.8.8 8.8.4.4 valid=300s;
            resolver_timeout 10s;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/host/domain.com.alphassl.trusted.crt;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
            access_log              /var/log/nginx/localhost_ssl.access.log     main buffer=32k;
            error_log               /var/log/nginx/localhost_ssl.error.log      error;
    
      include /usr/local/nginx/conf/phpmyadmin_https.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      #include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/errorpage.conf;
    }
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    in phpmyadmin_ssl.conf

    comment out with hash # in front of
    Code (Text):
    include /usr/local/nginx/conf/phpmyadmin_https.conf;
    

    uncomment remove hash #
    Code (Text):
    #include /usr/local/nginx/conf/php.conf;
    

    restart nginx
     
  10. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Yes, i can confirm it works now :)
    Thanks @eva2000
    now i'll find the way to make it more secure with Auth like before..
     
    • Like Like x 1
  11. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Hi again @eva2000
    i think i got win win solution for PMA to still use it default related .conf with Auth etc.
    here is my config,
    Virtual.conf :
    Code (Text):
    server {
            listen   80 default_server backlog=2048 reuseport;
            server_name domain.com;
            return 302 https://$server_name$request_uri;
            root   html;
    }
    server {
            listen 443 ssl http2;
            server_name domain.com;
            root   html;
    
            SSL related and rest of conf here..
    
    #include /usr/local/nginx/conf/phpmyadmin.conf;
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/cinfo.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/redisadmin.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
           }

    As you can see i enable hash # in front of include /usr/local/nginx/conf/phpmyadmin.conf

    here it is my phpmyadmin_ssl.conf :
    Code (Text):
    server {
            listen 443 ssl http2;
            #server_name domain.com;
            server_name localhost; #using localhost to not get server name conflict error
            root   html;
    
    PMA SSL related and rest of PMA conf here..
    
      include /usr/local/nginx/conf/phpmyadmin_https.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      #include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/errorpage.conf;
    }


    but i add additional rules from phpmyadmin.conf which is disable from virtual.conf into phpmyadmin_https.conf in phpmyadmin_ssl.conf.

    in phpmyadmin.conf i copy :
    Code (Text):
    rewrite ^/(.*) https://domain.com/$1 permanent;

    paste it into phpmyadmin_https.conf, so it become :
    Code (Text):
    location ^~ /mysqladmin_url/ {
       #try_files $uri $uri/ /mysqladmin_url/index.php?$args;
       rewrite ^/(.*) https://domain/$1 permanent;
       include /usr/local/nginx/conf/php_mysqladmin_url.conf;
    
       auth_basic      "Private Access";
       auth_basic_user_file  /usr/local/nginx/conf/htpassphpmyadmin;
       allow 127.0.0.1;
       allow my IP;
       deny all;
    }


    with All above Config, i can access main Hostname url, PHP info, Opcache, Memcache etc url and PMA url with Paid SSL without any error and without sacrifice PMA nginx Auth and all default PMA conf.

    Maybe @eva2000 can check above .conf and confim it's fine for use.
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    that would work i believe so you just want to force everything over to https
     
    • Like Like x 1
  13. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    hi @eva2000 today i just realize that if i used above config, PMA SSL Url wo'nt honor default http auth for PMA itself..Confirm it works at first time like i posted above but now no longer works..
    can you give some lights about it ??
    also, i see you had update nginx configs in CM update 23 -> 2 to support Nginx default hostname use SSL, am i right ??
    Thanks..
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    you mean config at https://community.centminmod.com/th...licting-server-name-ignored.11645/#post-49635 ? probably have cached authorisation, try curl header for url to check from

    i.e.
    Code (Text):
    curl -I https://mainhostname.domain.com/mysqladmin_url/

    should give 401 permission denied error

    no 123.09beta01 updates have been made for default hostname SSL. The recent virtual.conf fix was for access_log format reversion back from main_ext format to combined log format. And recent phpmyadmin.sh update remove access log buffering · centminmod/phpmyadmin@c0612c5 · GitHub was to refer access log buffering.
     
  15. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Hi @eva2000 just tried curl it..
    but header give me http 200, so http auth is not active, right??
     
  16. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes means http authentication not active
     
  17. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
  18. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    the config looks correct to me, so you'd need to do more troubleshooting steps yourself on your end :)
     
    • Like Like x 1
  19. ndha

    ndha Member

    53
    9
    8
    Sep 28, 2014
    Ratings:
    +23
    Local Time:
    4:29 AM
    Latest
    10
    Hi @eva2000
    what does this mean in example/custom_config.inc :
    NGINX_VHOSTSSL='y' # enable centmin.sh menu 2 prompt to create self signed SSL vhost 2nd vhost conf

    Does Vhosts will be use SSL like i want above ??
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,166
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    7:29 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Informative Informative x 1