Preventing Apache SSL automatic generation ?
If I install a SSL certificate for a cpanel hosted domain, the VirtualHost 443 entry is generated into /usr/local/apache/conf/httpd.conf and it says to customise this virtualhost use include file instead as SSL is automatically generated.
But how do I customise this in include file if I want to disable/remove only Apache from serving the site via 443 but not uninstall the SSL certificate and let LiteSpeed web server take priority of HTTPS/SSL and serve the site's 443 via LiteSpeed's native vhost config console ? The usual distiller method doesn't work as Cpanel Apache auto generates the SSL VirtualHost anyway regardless of the commands ?
cheers George
# SSL
# DO NOT EDIT. AUTOMATICALLY GENERATED. IF YOU NEED TO MAKE A CHANGE PLEASE USE THE INCLUDE FILES.
# To customize this VirtualHost use an include file at the following location
# Include "/usr/local/apache/conf/userdata/ssl/2_2/username/DOMAINNAME.COM/*.conf"But how do I customise this in include file if I want to disable/remove only Apache from serving the site via 443 but not uninstall the SSL certificate and let LiteSpeed web server take priority of HTTPS/SSL and serve the site's 443 via LiteSpeed's native vhost config console ? The usual distiller method doesn't work as Cpanel Apache auto generates the SSL VirtualHost anyway regardless of the commands ?
/usr/local/cpanel/bin/apache_conf_distiller --update
/usr/local/cpanel/bin/build_apache_confcheers George
-
Hello, It seems apache is working as reverse-proxy for LiteSpeed so it will use the configuration from apache only. You should consider removing the apache completely to switch everything to LiteSpeed. 0 -
thanks for the reply but Apache isn't reverse proxy to LiteSpeed. Litespeed is enabled in WHM/Cpanel and Apache is disabled. Just that to get HTTP/2 support + OCSP stapling enabled for SSL on WHM/Cpanel, I had to setup LiteSpeed with a native SSL vhost and configure OCSP stapling there which seems to have worked without needing to disable Apache httpd.conf's VirtualHost 443 entry as I verified the custom SSL cipher order and OCSP stapling are working on the domain now. openssl command output openssl s_client -connect mydomain.com:443 -tls1 -tlsextdebug -status OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP Responder(G2) Produced At: Aug 22 12:06:04 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A06661F16CBCC23E98BC71914830B85AAA8D0A6B Issuer Key Hash: D2A716207CAFD9959EEB430A19F2E0B9740EA8C7 Serial Number: 1188F371489C6D91CD380851FB274515 Cert Status: good This Update: Aug 22 12:06:04 2015 GMT Next Update: Aug 24 12:06:04 2015 GMT
testssl resulttestssl mydomain.com:443 --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN h2, h2c, h2-17, h2-14, spdy/3.1, spdy/3, spdy/2, http/1.1 (advertised) --> Testing ~standard cipher lists Null Ciphers not offered (OK) Anonymous NULL Ciphers not offered (OK) Anonymous DH Ciphers not offered (OK) 40 Bit encryption not offered (OK) 56 Bit encryption not offered (OK) Export Ciphers (general) not offered (OK) Low (<=64 Bit) not offered (OK) DES Ciphers not offered (OK) Medium grade encryption not offered (OK) Triple DES Ciphers not offered (OK) High grade encryption offered (OK) --> Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH Cipher order TLSv1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA TLSv1.1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA TLSv1.2: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA h2: ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA h2c: ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA h2-17: ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA h2-14: ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA spdy/3.1: ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA spdy/3: ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA spdy/2: ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA http/1.1: ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA --> Testing server defaults (Server Hello) TLS server extensions renegotiation info, EC point formats, session ticket, status request, heartbeat Session Tickets RFC 5077 300 seconds Server key size 2048 bit Signature Algorithm SHA256 with RSA Fingerprint / Serial SHA1 E737D0911D60FFAD925DC4B07FC9A330E91D2C32 / 1188F371489C6D91CD380851FB274515 SHA256 5877AB22697AED02B30357FFBBF9AA53239E1934C565288591865991D5C8D19C Common Name (CN) mydomain.com (works w/o SNI) subjectAltName (SAN) mydomain.com www.mydomain.com mydomain2.com Issuer WoSign CA Free SSL Certificate G2 (WoSign CA Limited from CN) EV cert (experimental) no Certificate Expiration >= 60 days (2015-03-24 23:54 --> 2018-03-25 00:54 +0000) # of certificates provided 3 Certificate Revocation List http://crls6.wosign.com/ca6-server1-free.crl OCSP URI http://ocsp6.wosign.com/ca6/server1/free OCSP stapling offered TLS timestamp random values, no fingerprinting possible --> Testing HTTP header response @ "/" HTTP Status Code 200 OK HTTP clock skew -1 sec from localtime Strict Transport Security -- Public Key Pinning -- Server banner LiteSpeed Application banner -- Cookie(s) (none issued at "/") Security headers -- Reverse Proxy banner --
and cipherscan resultcipherscan mydomain.com:443 ............. Target: mydomain.com:443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 3 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 4 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 5 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 6 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 7 AES128-GCM-SHA256 TLSv1.2 None None 8 AES256-GCM-SHA384 TLSv1.2 None None 9 AES128-SHA256 TLSv1.2 None None 10 AES256-SHA256 TLSv1.2 None None 11 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None 12 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: supported Cipher ordering: server Fallbacks required: big-SSLv3 config not supported, connection failed big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA big-TLSv1.2 no fallback req, connected: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
and nghttp HTTP/2 connection testnghttp -nv https://mydomain.com:443 [ 0.141] Connected The negotiated protocol: h2 [ 0.205] send SETTINGS frame (niv=2) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535] [ 0.205] send PRIORITY frame (dep_stream_id=0, weight=201, exclusive=0) [ 0.205] send PRIORITY frame (dep_stream_id=0, weight=101, exclusive=0) [ 0.205] send PRIORITY frame (dep_stream_id=0, weight=1, exclusive=0) [ 0.205] send PRIORITY frame (dep_stream_id=7, weight=1, exclusive=0) [ 0.205] send PRIORITY frame (dep_stream_id=3, weight=1, exclusive=0) [ 0.205] send HEADERS frame ; END_STREAM | END_HEADERS | PRIORITY (padlen=0, dep_stream_id=11, weight=16, exclusive=0) ; Open new stream :method: GET :path: / :scheme: https :authority: mydomain.com accept: */* accept-encoding: gzip, deflate user-agent: nghttp2/1.2.1-DEV [ 0.226] recv SETTINGS frame (niv=3) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65536] [SETTINGS_MAX_FRAME_SIZE(0x05):16384] [ 0.226] recv WINDOW_UPDATE frame (window_size_increment=196605) [ 0.226] recv SETTINGS frame ; ACK (niv=0) [ 0.227] recv (stream_id=13) :status: 200 [ 0.227] recv (stream_id=13) etag: "d-55d85693-a98bd14439add40a" [ 0.227] recv (stream_id=13) last-modified: Sat, 22 Aug 2015 11:01:39 GMT [ 0.227] recv (stream_id=13) content-type: text/html [ 0.227] recv (stream_id=13) content-length: 13 [ 0.227] recv (stream_id=13) date: Sat, 22 Aug 2015 14:33:48 GMT [ 0.227] recv (stream_id=13) accept-ranges: bytes [ 0.227] recv (stream_id=13) server: LiteSpeed [ 0.227] recv HEADERS frame ; END_HEADERS (padlen=0) ; First response header [ 0.227] recv DATA frame [ 0.227] recv DATA frame ; END_STREAM [ 0.227] send SETTINGS frame ; ACK (niv=0) [ 0.227] send GOAWAY frame (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[])
Only thing is ssl labs test isn't reporting OCSP despite the results shown for openssl cmd line, testssl and cipherscan.0 -
But how do I customise this in include file if I want to disable/remove only Apache from serving the site via 443 but not uninstall the SSL certificate and let LiteSpeed web server take priority of HTTPS/SSL and serve the site's 443 via LiteSpeed's native vhost config console
Hello :) You will likely receive more feedback on this type of question at the LiteSpeed forums, as it's a customization of the LiteSpeed plugin and it's not a configuration that's natively supported by cPanel:0 -
thanks @cPanelMichael while I solved my problem without needing to disable the 443 in apache httpd.conf, it's actually a question of whether easyapache apache can disable 443 vhost using include "/usr/local/apache/conf/userdata/ssl/2_2/username/DOMAINNAME.COM/*.conf" include file but NOT uninstall the ssl certificate for the vhost 0 -
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0
Please sign in to leave a comment.
Comments
5 comments