redirects render invalid apache config on non-SSL web server since MR 1521
Short summary
Setting up redirects to an https target inside of a "Web Domain" is broken for us since MR !1521 (merged).
Environment
We run our ispconfig setup behind a reverse proxy (haproxy) which also is the SSL endpoint. Thus SSL config is disabled for the web servers that ispconfig manages.
Both the ispconfig server as well as the web server run
- Debian 11 bullseye
- Ispconfig in version 3.2.6
Issue
Since commit #6c65d2b4 the apache2 config template creates an invalid config for vhosts that should just reply with a permanent redirection (301). This is due to the newly introduced config line
SSLProxyEngine On
... which does not work for us as SSL is disabled.
If I read https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLProxyEngine correctly, then this setting is not even needed for plain redirects, but only in case the vhost is acting as proxy.
As the documentation continues ...
Note that the SSLProxyEngine directive should not, in general, be included in a virtual host that will be acting as a forward proxy (using <Proxy> or ProxyRequests directives). SSLProxyEngine is not required to enable a forward proxy server to proxy SSL/TLS requests.
... the question raises, what this MR actually fixes.
IMHO there is at least a check missing if the redirect config is in proxy mode or a 301 reply.
Adding the SSLProxyEngine
statement also for redirects is superfluous.
Steps to reproduce
- run an ispconfig webserver without SSL handling behind a reverse proxy acting as SSL endpoint
- setup a permanent redirect 301 for a web domain to a https target
- wait until the restart of apache2
- there will be a DOMAINNAME.vhost.err file and an error entry in the logs, see below ...
Logs
snippet from the apache2 log:
Dec 14 20:11:09 web73 apachectl[3410483]: AH00526: Syntax error on line 54 of /etc/apache2/sites-enabled/100-anonymized.tld.vhost:
Dec 14 20:11:09 web73 apachectl[3410483]: Invalid command 'SSLProxyEngine', perhaps misspelled or defined by a module not included in the server configuration
Dec 14 20:11:09 web73 apachectl[3410480]: Action 'start' failed.
Dec 14 20:11:09 web73 apachectl[3410480]: The Apache error log may have more information.
Dec 14 20:11:09 web73 systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Dec 14 20:11:09 web73 systemd[1]: apache2.service: Failed with result 'exit-code'.
Dec 14 20:11:09 web73 systemd[1]: Failed to start The Apache HTTP Server.
Workaround
This is our current quick fix which solves the issue (temporary only):
# diff /usr/local/ispconfig/server/conf/vhost.conf.master{.jdsn,}
521c521
< SSLProxyEngine On
---
> #SSLProxyEngine On
A proper fix however would most likely need a check if the vhost in question is acting in proxy mode.
References
- commit that introduced the breakage: !1521 (merged)
- maybe related: #6087
I am happy to help with a proper fix and test it on our system before merging.