The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing Apache SSL automatic generation ?

Discussion in 'EasyApache' started by eva2000, Aug 22, 2015.

  1. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    If I install a SSL certificate for a cpanel hosted domain, the VirtualHost 443 entry is generated into /usr/local/apache/conf/httpd.conf and it says to customise this virtualhost use include file instead as SSL is automatically generated.

    Code:
    # SSL
    # DO NOT EDIT. AUTOMATICALLY GENERATED.  IF YOU NEED TO MAKE A CHANGE PLEASE USE THE INCLUDE FILES.
    
    # To customize this VirtualHost use an include file at the following location
        # Include "/usr/local/apache/conf/userdata/ssl/2_2/username/DOMAINNAME.COM/*.conf"
    But how do I customise this in include file if I want to disable/remove only Apache from serving the site via 443 but not uninstall the SSL certificate and let LiteSpeed web server take priority of HTTPS/SSL and serve the site's 443 via LiteSpeed's native vhost config console ? The usual distiller method doesn't work as Cpanel Apache auto generates the SSL VirtualHost anyway regardless of the commands ?

    Code:
    /usr/local/cpanel/bin/apache_conf_distiller --update
    /usr/local/cpanel/bin/build_apache_conf
    cheers

    George
     
    #1 eva2000, Aug 22, 2015
    Last edited: Aug 22, 2015
  2. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    It seems apache is working as reverse-proxy for LiteSpeed so it will use the configuration from apache only. You should consider removing the apache completely to switch everything to LiteSpeed.
     
  3. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    thanks for the reply but Apache isn't reverse proxy to LiteSpeed. Litespeed is enabled in WHM/Cpanel and Apache is disabled. Just that to get HTTP/2 support + OCSP stapling enabled for SSL on WHM/Cpanel, I had to setup LiteSpeed with a native SSL vhost and configure OCSP stapling there which seems to have worked without needing to disable Apache httpd.conf's VirtualHost 443 entry as I verified the custom SSL cipher order and OCSP stapling are working on the domain now.

    openssl command output
    Code:
    openssl s_client -connect mydomain.com:443 -tls1 -tlsextdebug -status
    
    OCSP response:
    ======================================
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP Responder(G2)
        Produced At: Aug 22 12:06:04 2015 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: A06661F16CBCC23E98BC71914830B85AAA8D0A6B
          Issuer Key Hash: D2A716207CAFD9959EEB430A19F2E0B9740EA8C7
          Serial Number: 1188F371489C6D91CD380851FB274515
        Cert Status: good
        This Update: Aug 22 12:06:04 2015 GMT
        Next Update: Aug 24 12:06:04 2015 GMT
    testssl result
    Code:
    testssl mydomain.com:443
    
    --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, h2c, h2-17, h2-14, spdy/3.1, spdy/3, spdy/2, http/1.1 (advertised)
    
    --> Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            not offered (OK)
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    --> Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH
    Cipher order
         TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA
         TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA
         TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         h2:        ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         h2c:       ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         h2-17:     ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         h2-14:     ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         spdy/3.1:  ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         spdy/3:    ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         spdy/2:    ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         http/1.1:  ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        renegotiation info, EC point formats, session ticket, status request, heartbeat
    Session Tickets RFC 5077     300 seconds
    Server key size              2048 bit
    Signature Algorithm          SHA256 with RSA
    Fingerprint / Serial         SHA1 E737D0911D60FFAD925DC4B07FC9A330E91D2C32 / 1188F371489C6D91CD380851FB274515
                                  SHA256 5877AB22697AED02B30357FFBBF9AA53239E1934C565288591865991D5C8D19C
    Common Name (CN)             mydomain.com (works w/o SNI)
    subjectAltName (SAN)         mydomain.com www.mydomain.com mydomain2.com
    Issuer                       WoSign CA Free SSL Certificate G2 (WoSign CA Limited from CN)
    EV cert (experimental)       no
    Certificate Expiration       >= 60 days (2015-03-24 23:54 --> 2018-03-25 00:54 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crls6.wosign.com/ca6-server1-free.crl
    OCSP URI                     http://ocsp6.wosign.com/ca6/server1/free
    OCSP stapling                offered
    TLS timestamp                random values, no fingerprinting possible
    
    
    --> Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              -1 sec from localtime
    Strict Transport Security    --
    Public Key Pinning           --
    Server banner                LiteSpeed
    Application banner           --
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner        --
    and cipherscan result
    Code:
    cipherscan mydomain.com:443    
    .............
    Target: mydomain.com:443
    
    prio  ciphersuite                  protocols              pfs                 curves
    1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
    2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
    3     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
    4     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    5     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
    6     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    7     AES128-GCM-SHA256            TLSv1.2                None                None
    8     AES256-GCM-SHA384            TLSv1.2                None                None
    9     AES128-SHA256                TLSv1.2                None                None
    10    AES256-SHA256                TLSv1.2                None                None
    11    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    12    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    
    Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
    TLS ticket lifetime hint: 300
    OCSP stapling: supported
    Cipher ordering: server
    
    Fallbacks required:
    big-SSLv3 config not supported, connection failed
    big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA
    big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA
    big-TLSv1.2 no fallback req, connected: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    and nghttp HTTP/2 connection test

    Code:
    nghttp -nv https://mydomain.com:443
    [  0.141] Connected
    The negotiated protocol: h2
    [  0.205] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
              (niv=2)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]
    [  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=3>
              (dep_stream_id=0, weight=201, exclusive=0)
    [  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=5>
              (dep_stream_id=0, weight=101, exclusive=0)
    [  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=7>
              (dep_stream_id=0, weight=1, exclusive=0)
    [  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=9>
              (dep_stream_id=7, weight=1, exclusive=0)
    [  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=11>
              (dep_stream_id=3, weight=1, exclusive=0)
    [  0.205] send HEADERS frame <length=40, flags=0x25, stream_id=13>
              ; END_STREAM | END_HEADERS | PRIORITY
              (padlen=0, dep_stream_id=11, weight=16, exclusive=0)
              ; Open new stream
              :method: GET
              :path: /
              :scheme: https
              :authority: mydomain.com
              accept: */*
              accept-encoding: gzip, deflate
              user-agent: nghttp2/1.2.1-DEV
    [  0.226] recv SETTINGS frame <length=18, flags=0x00, stream_id=0>
              (niv=3)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65536]
              [SETTINGS_MAX_FRAME_SIZE(0x05):16384]
    [  0.226] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0>
              (window_size_increment=196605)
    [  0.226] recv SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.227] recv (stream_id=13) :status: 200
    [  0.227] recv (stream_id=13) etag: "d-55d85693-a98bd14439add40a"
    [  0.227] recv (stream_id=13) last-modified: Sat, 22 Aug 2015 11:01:39 GMT
    [  0.227] recv (stream_id=13) content-type: text/html
    [  0.227] recv (stream_id=13) content-length: 13
    [  0.227] recv (stream_id=13) date: Sat, 22 Aug 2015 14:33:48 GMT
    [  0.227] recv (stream_id=13) accept-ranges: bytes
    [  0.227] recv (stream_id=13) server: LiteSpeed
    [  0.227] recv HEADERS frame <length=102, flags=0x04, stream_id=13>
              ; END_HEADERS
              (padlen=0)
              ; First response header
    [  0.227] recv DATA frame <length=13, flags=0x00, stream_id=13>
    [  0.227] recv DATA frame <length=0, flags=0x01, stream_id=13>
              ; END_STREAM
    [  0.227] send SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.227] send GOAWAY frame <length=8, flags=0x00, stream_id=0>
              (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[])
    
    Only thing is ssl labs test isn't reporting OCSP despite the results shown for openssl cmd line, testssl and cipherscan.
     
    #3 eva2000, Aug 22, 2015
    Last edited: Aug 22, 2015
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You will likely receive more feedback on this type of question at the LiteSpeed forums, as it's a customization of the LiteSpeed plugin and it's not a configuration that's natively supported by cPanel:

    https://www.litespeedtech.com/support/forum/

    Thank you.
     
  5. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    thanks @cPanelMichael while I solved my problem without needing to disable the 443 in apache httpd.conf, it's actually a question of whether easyapache apache can disable 443 vhost using include "/usr/local/apache/conf/userdata/ssl/2_2/username/DOMAINNAME.COM/*.conf" include file but NOT uninstall the ssl certificate for the vhost
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page