i-MSCP 1.5.3
OS: Debian Jessie 8.11
Used plugin: Let's Encrypt (latest)
Can I set SSLStrictSNIVHostCheck off somehow? I need this one of my site.
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Maybe with a listener file?
Enable SNI on one site
- Dylan
- Thread is marked as Resolved.
-
-
-
Thank you, but no, I haven't try that. Very old topic, I think there are different solution now.
I tried this, but no any effects.
/etc/apache2/sites-enabled/sub.domain.tld_ssl.conf file:
QuoteDisplay More<VirtualHost IP:443>
ServerAdmin webmaster@sub.domain.tld
ServerName sub.domain.tld
ServerAlias http://www.sub.domain.tld sub476.admin.domain.tld
DocumentRoot /var/www/virtual/domain.tld/iroda/htdocs
DirectoryIndex disabled
LogLevel error
ErrorLog /var/log/apache2/sub.domain.tld/error.log
Alias /errors/ /var/www/virtual/domain.tld/errors/
SSLEngine On
SSLCertificateFile /var/www/imscp/gui/data/certs/sub.domain.tld.pem
Header always set Strict-Transport-Security "max-age=0; includeSubDomains"
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
<Proxy "unix:/run/phpswitcher/psw7.1-fpm-sub.domain.tld.sock|fcgi://sub.domain.tld" retry=0>
ProxySet connectiontimeout=5 timeout=7200
</Proxy>
<Directory /var/www/virtual/domain.hu/iroda/htdocs>
Options FollowSymLinks
DirectoryIndex index.php
AllowOverride All
<If "%{REQUEST_FILENAME} =~ /\.ph(?:p[3457]?|t|tml)$/ && -f %{REQUEST_FILENAME}">
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
SetHandler proxy:fcgi://sub.domain.tld
</If>
DirectoryIndex index.html index.xhtml index.htm
Require all granted
</Directory>
<Location /stats>
ProxyErrorOverride On
ProxyPreserveHost Off
ProxyPass http://127.0.0.1:8889/stats/sub.domain.tld retry=1 acquire=3000 timeout=600 Keepalive=On
ProxyPassReverse http://127.0.0.1:8889/stats/sub.domain.tld
</Location>
Include /etc/apache2/imscp/sub.domain.tld.conf
</VirtualHost>
Nuxwin have you any tip?
Thank you!
-
Can I set SSLStrictSNIVHostCheck off somehow? I need this one of my site.
Before giving you any answer, I would want known why you need set the SNI vhost check off exactly.
-
-
Before giving you any answer, I would want known why you need set the SNI vhost check off exactly.
I have a custom billing system, and my online payment partner communicate with an old client with us...
That client not support SNI, and apache get back 403 error message:
[Tue Nov 06 08:39:05.759045 2018] [ssl:error] [pid 16618:tid 140185341699840] AH02033: No hostname was provided via SNI for a name based virtual host
I already talked to them, but they need development in they system... Meantime I need solution for this...
-
I have a custom billing system, and my online payment partner communicate with an old client with us...
That client not support SNI, and apache get back 403 error message:
[Tue Nov 06 08:39:05.759045 2018] [ssl:error] [pid 16618:tid 140185341699840] AH02033: No hostname was provided via SNI for a name based virtual host
I already talked to them, but they need development in they system... Meantime I need solution for this...
OK... The problem is that disabling SNI check in the vhost file that belongs to your billing system is not sufficient if that vhost is not seen as the default name-based vrtual host for the IP/PORT compound:
Quote from apache documentationThis directive sets whether a non-SNI client is allowed to access a name-based virtual host. If set to on in the default name-based virtual host, clients that are SNI unaware will not be allowed to access any virtual host, belonging to this particular IP / port combination. If set to on in any other virtual host, SNI unaware clients are not allowed to access this particular virtual host.
So here, you have two choices:
First choice
Disable SNI vhost checking globally. This can be done through the /etc/apache2/mods-available/ssl.conf file.
Second choice
Assign a dedicated IP for the billing site, then make sure that the IP is only set (used) for the vhost of the billing system, then disable SNI vhost check in the billing vhost. This could involve the creation of an i-MSCP customer for the billing system subdomain only. Regarding the SNI directive, you can add it into the /etc/apache2/imscp/<domain.tld> file for persistence.
-
