The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EasyApache 4 Defaults SSL On?

Discussion in 'EasyApache' started by Avalon, May 29, 2016.

Tags:
  1. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    A little while ago an operation began to migrate services from an older server being decommissioned to a new server with CloudLinux 7 and cPanel with EasyApache 4 (versus EasyApache 3). Now while everything is going well there is some odd behavior we noticed: it seems EasyApache 4 on the default profile (we haven't customized it to our liking yet) is defaulting all sites except the server's own hostname to SSL enabled only.

    In other words: all sites are automatically connected to the SSL version (which is completely fine; we have all the SSL certificates) but we're trying to figure out whether it's something related to CloudFlare Enterprise or is it cPanel's EasyApache 4. The only new items introduced into the environment were cPanel's EasyApache 4 and CloudLinux 7.

    We of course discovered this when our .htaccess files were causing redirect loops for the service being migrated as they had directives to redirect all traffic to SSL already there.

    So really, as a simple question because Google doesn't really find anything: is this normal EasyApache 4 behavior? If pertinent, the following is the previous and new server's Pre-Main Include:

    Code:
    Header add Strict-Transport-Security "max-age=31536000"
    SSLProtocol all -SSLv3 -SSLv2
    SSLHonorCipherOrder On
    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This is not the intended behavior when converting to EasyApache 4. Have you customized any aspects of the Apache configuration on this system (e.g. custom Vhost entries)?

    Thank you.
     
  3. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    No, no custom Vhost entries have been added to the Apache configuration. The only changes made to Apache so far were the ones outlined above; any other change [if any] was done automatically by WHM.

    The only other change made so far was the installation of mod_cloudflare which wasn't done to EasyApache 4 (it installed to EA3) and Apache hasn't even been recompiled yet nor has mod_cloudflare been appropriately installed to EasyApache 4 either so EA4 is running default except for the changes outlined in the original post.

    Even trying to do a direct route to the domains using port 80 auto-redirects to 443/HTTPS.

    It's not a bad thing (in fact; it would be great if cPanel/WHM could do this automatically) but to know that this is not normal behavior is concerning.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Do you notice a difference if you temporarily remove those custom entries?

    Thank you.
     
  5. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    @cPanelMichael - I know this thread has gotten a little old but we did eventually figure it out a few days ago and it was one of those "how did we miss that" moments. Our domains are part of the HSTS Preload Database used by virtually every modern browser. It just so happens that when we moved to EasyApache 4 also happened to be the concurrent time the final domains that were submitted had been added to the browsers.

    We figured this out when we saw an error pop up on Chrome when accessing a legacy server being ready for decommissioning that didn't have the SSL Certs cause a screen to pop up (the privacy error screen) saying the domain always uses HSTS and you cannot continue to the specific URL because the specific URL (several subdomains in depth) wasn't using HSTS and has a mismatched certificate of our currently published one.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page