Join Log in
Score:0
Jarko avatar Server

Apache returns 408 when prepending www

tc flag
Jarko

I have a server running debian 8.11 and apache 2.4.10 configured to serve 2 websites. One is a website built with wordpress (example.com), the other is a forum built with NodeBB (forum.example.com, which has no problems at all).

The website should be available as example.com, as www.example.com, or even inputting the IP address. All http requests should be redirected to https. The first and the last cases work, but when I input www.example.com (with www, it doesn't matter if I http or https) I end up with the following error in the browser:

Error 543
The origin web server is not available

If I open the apache logs, I find this in access.log:

"-" 408 137 "-" "-"

This is myvhost file for HTTP:

<VirtualHost *:80>
    DocumentRoot /var/www/wordpress
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/wordpress>
        Options FollowSymLinks
        AllowOverride All
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:80>
    ServerName forum.example.com
    
    Redirect / https://forum.example.com/
</VirtualHost>

This is for HTTPS:

<IfModule mod_ssl.c>

    <VirtualHost *:443>
        ServerAdmin [email protected]
        
        DocumentRoot /var/www/wordpress
        Redirect permanent /phpmyadmin https://example.com/phpmyadmin
        <Directory />
            Options FollowSymLinks
            AllowOverride None
        </Directory>
        <Directory /var/www/wordpress>  
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
        </Directory>
        
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on

        SSLCertificateFile  /etc/ssl/certs/www_example_com.crt
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-comodo.key
        SSLCertificateChainFile /etc/ssl/certs/COMODORSACertificateBundle.crt

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        #   SSL Protocol Adjustments:   
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown 
        
        SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder on
        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"    
    </VirtualHost>
    
    <VirtualHost *:443>
        ServerName forum.example.com
        ServerAdmin [email protected]
        
        SSLEngine on
        
        SSLCertificateFile  /etc/ssl/certs/forum_example_com.crt
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-forum-comodo.key

        SSLCertificateChainFile /etc/ssl/certs/COMODORSAForumCertificateBundle.crt

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
        
        ProxyRequests off

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           ws://127.0.0.1:4567/$1 [P,L]

        ProxyPass / http://127.0.0.1:4567/
        ProxyPassReverse / http://127.0.0.1:4567/
        
        ErrorDocument 503 http://status.example.com

    </VirtualHost>
    
</IfModule>

...and here the htaccess I use in the wordpress website:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://example.com/$1 [R,L]
</IfModule>

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

All the resources I found on 403 errors covered different scenarios so I'm really lost here. Thank you all!

41
0 + 2
HBruijn avatar
in flag
HBruijn
An error message "The origin web server is not available" sounds like an error message generated by a CDN or a reverse proxy. Do the DNS IPv4 and IPv6 records for www.example.com point to the same IP-addresses and server as the example.com DNS records or is www possibly directed to a different back-end server by your CDN? Additionally: It is best to always explicitly list a `ServerName` (and any expected `ServerAlias` names) in every name-based virtual host. https://httpd.apache.org/docs/2.4/vhosts/name-based.html#using
0
Reply
Jarko avatar
tc flag
Jarko
@HBruijn indeed I had a CNAME record pointing www. somewhere else completely. So stupid! Thank you! I added the ServerName and ServerAlias too, good point.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.