EasyApache 4 Defaults SSL On?
A little while ago an operation began to migrate services from an older server being decommissioned to a new server with CloudLinux 7 and cPanel with EasyApache 4 (versus EasyApache 3). Now while everything is going well there is some odd behavior we noticed: it seems EasyApache 4 on the default profile (we haven't customized it to our liking yet) is defaulting all sites except the server's own hostname to SSL enabled only.
In other words: all sites are automatically connected to the SSL version (which is completely fine; we have all the SSL certificates) but we're trying to figure out whether it's something related to CloudFlare Enterprise or is it cPanel's EasyApache 4. The only new items introduced into the environment were cPanel's EasyApache 4 and CloudLinux 7.
We of course discovered this when our .htaccess files were causing redirect loops for the service being migrated as they had directives to redirect all traffic to SSL already there.
So really, as a simple question because Google doesn't really find anything: is this normal EasyApache 4 behavior? If pertinent, the following is the previous and new server's Pre-Main Include:
Header add Strict-Transport-Security "max-age=31536000"
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4-
In other words: all sites are automatically connected to the SSL version (which is completely fine; we have all the SSL certificates) but we're trying to figure out whether it's something related to CloudFlare Enterprise or is it cPanel's EasyApache 4. The only new items introduced into the environment were cPanel's EasyApache 4 and CloudLinux 7.
Hello, This is not the intended behavior when converting to EasyApache 4. Have you customized any aspects of the Apache configuration on this system (e.g. custom Vhost entries)? Thank you.0 -
Hello, This is not the intended behavior when converting to EasyApache 4. Have you customized any aspects of the Apache configuration on this system (e.g. custom Vhost entries)? Thank you.
No, no custom Vhost entries have been added to the Apache configuration. The only changes made to Apache so far were the ones outlined above; any other change [if any] was done automatically by WHM. The only other change made so far was the installation of mod_cloudflare which wasn't done to EasyApache 4 (it installed to EA3) and Apache hasn't even been recompiled yet nor has mod_cloudflare been appropriately installed to EasyApache 4 either so EA4 is running default except for the changes outlined in the original post. Even trying to do a direct route to the domains using port 80 auto-redirects to 443/HTTPS. It's not a bad thing (in fact; it would be great if cPanel/WHM could do this automatically) but to know that this is not normal behavior is concerning.0 -
The only changes made to Apache so far were the ones outlined above;
Do you notice a difference if you temporarily remove those custom entries? Thank you.0 -
Do you notice a difference if you temporarily remove those custom entries? Thank you.
@cPanelMichael - I know this thread has gotten a little old but we did eventually figure it out a few days ago and it was one of those "how did we miss that" moments. Our domains are part of the HSTS Preload Database used by virtually every modern browser. It just so happens that when we moved to EasyApache 4 also happened to be the concurrent time the final domains that were submitted had been added to the browsers. We figured this out when we saw an error pop up on Chrome when accessing a legacy server being ready for decommissioning that didn't have the SSL Certs cause a screen to pop up (the privacy error screen) saying the domain always uses HSTS and you cannot continue to the specific URL because the specific URL (several subdomains in depth) wasn't using HSTS and has a mismatched certificate of our currently published one.0 -
I'm happy to see you were able to address the issue. Thank you for updating us with the outcome. 0
Please sign in to leave a comment.
Comments
5 comments