Apache SSL “catch all” for maintenance The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!In Nginx, how can I rewrite all http requests to https while maintaining sub-domain?Temporarily redirect *all* HTTP/HTTPS requests in IIS to a “server maintenance” pageIs it bad to redirect http to https?Properly setting up a “default” nginx server for httpsIs it possible to have IIS require SSL and redirect HTTP at the same time?Redirect Subdomain That is Not on SSLCatch all VirtualHost not workingApache RedirectMatch for SSL allowing LetsEncrypt not workingBest way to redirect all HTTP to HTTPS in IISAre .htaccess redirects secure/reliable (website maintenance)?
Am I ethically obligated to go into work on an off day if the reason is sudden?
Didn't get enough time to take a Coding Test - what to do now?
Can the Right Ascension and Argument of Perigee of a spacecraft's orbit keep varying by themselves with time?
Is there a way to generate uniformly distributed points on a sphere from a fixed amount of random real numbers per point?
Was credit for the black hole image misappropriated?
Why did Peik Lin say, "I'm not an animal"?
Do warforged have souls?
Is this wall load bearing? Blueprints and photos attached
Can each chord in a progression create its own key?
Variable with quotation marks "$()"
Could an empire control the whole planet with today's comunication methods?
One-dimensional Japanese puzzle
Word for: a synonym with a positive connotation?
Intergalactic human space ship encounters another ship, character gets shunted off beyond known universe, reality starts collapsing
Presidential Pardon
What happens to a Warlock's expended Spell Slots when they gain a Level?
What information about me do stores get via my credit card?
Do I have Disadvantage attacking with an off-hand weapon?
How to make Illustrator type tool selection automatically adapt with text length
Why are PDP-7-style microprogrammed instructions out of vogue?
Simulating Exploding Dice
What was the last x86 CPU that did not have the x87 floating-point unit built in?
Keeping a retro style to sci-fi spaceships?
What aspect of planet Earth must be changed to prevent the industrial revolution?
Apache SSL “catch all” for maintenance
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!In Nginx, how can I rewrite all http requests to https while maintaining sub-domain?Temporarily redirect *all* HTTP/HTTPS requests in IIS to a “server maintenance” pageIs it bad to redirect http to https?Properly setting up a “default” nginx server for httpsIs it possible to have IIS require SSL and redirect HTTP at the same time?Redirect Subdomain That is Not on SSLCatch all VirtualHost not workingApache RedirectMatch for SSL allowing LetsEncrypt not workingBest way to redirect all HTTP to HTTPS in IISAre .htaccess redirects secure/reliable (website maintenance)?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
We're going to have to temporarily shutdown our servers, as they need to be physically moved and put onto a better UPS.
I don't want to just have "can't connect" errors come up for our users, and I have another smaller server box that I thought could display a "maintenance mode" message.
Reassure them that this is scheduled maintenance - so they're not panicked that we've disappeared or anything - give them a time for when everything will be back up, apologise for the inconvenience. That sort of thing.
For HTTP, this is easy to set up. I create the "maintenance mode" HTML page and then have it that the default virtualhost - the catch all - shows this page upon any request made to the server.
So that any HTTP links to any of the virtual hosts on our servers will match this and show the temporary "service unavailable" message.
But HTTPS has me a little stumped, because the host name has to match the SSL certificate to avoid the browser throwing up security warnings.
What I want is a default SSL "catch all" that'll match any host name - because none of the virtual hosts are actually up on this temporary server - and then redirect to the HTTP maintenance message.
I gave this a go:
<VirtualHost *:443>
ServerName catch-all
ServerAlias *
RedirectMatch ^(.*)$ http://%SERVER_NAME/
</VirtualHost>
But I'm getting "the site can't provide a secure connection" in Chrome (ERR_SSL_PROTOCOL_ERROR) and curl is complaining about "ssl wrong version".
I need it so that if someone follows a HTTPS link to something on our servers, it's all redirected to the HTTP "maintenance" page.
Can a server "cancel" the SSL handshake and redirect to HTTP like this?
apache-2.4 https redirect http
asked Apr 8 at 11:29
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
We're going to have to temporarily shutdown our servers, as they need to be physically moved and put onto a better UPS.
I don't want to just have "can't connect" errors come up for our users, and I have another smaller server box that I thought could display a "maintenance mode" message.
Reassure them that this is scheduled maintenance - so they're not panicked that we've disappeared or anything - give them a time for when everything will be back up, apologise for the inconvenience. That sort of thing.
For HTTP, this is easy to set up. I create the "maintenance mode" HTML page and then have it that the default virtualhost - the catch all - shows this page upon any request made to the server.
So that any HTTP links to any of the virtual hosts on our servers will match this and show the temporary "service unavailable" message.
But HTTPS has me a little stumped, because the host name has to match the SSL certificate to avoid the browser throwing up security warnings.
What I want is a default SSL "catch all" that'll match any host name - because none of the virtual hosts are actually up on this temporary server - and then redirect to the HTTP maintenance message.
I gave this a go:
<VirtualHost *:443>
ServerName catch-all
ServerAlias *
RedirectMatch ^(.*)$ http://%SERVER_NAME/
</VirtualHost>
But I'm getting "the site can't provide a secure connection" in Chrome (ERR_SSL_PROTOCOL_ERROR) and curl is complaining about "ssl wrong version".
I need it so that if someone follows a HTTPS link to something on our servers, it's all redirected to the HTTP "maintenance" page.
Can a server "cancel" the SSL handshake and redirect to HTTP like this?
apache-2.4 https redirect http
asked Apr 8 at 11:29
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
The problem is essentially that SSL connection needs to be successfully established before you even can sent HTTP protocol messages. That requires that your temporary server has valid certificates for all URL's that you use - in which case you won't need to redirect to http any more and can simply sent a pretty 503 response over https
– HBruijn
Apr 8 at 12:58
You already have an SSL certificate, just use that!
– Michael Hampton♦
Apr 8 at 13:25
@HBruijn Yes, it looks like I'll have to recreate all the virtual hosts on the outage server, using their respective SSL certificates, and have them all use the same "DocumentRoot" instead. I was hoping to avoid that, as we have a good dozen vhosts to cover but I guess SSL means it's the only way.
– Bob
Apr 8 at 15:35
add a comment |
We're going to have to temporarily shutdown our servers, as they need to be physically moved and put onto a better UPS.
I don't want to just have "can't connect" errors come up for our users, and I have another smaller server box that I thought could display a "maintenance mode" message.
Reassure them that this is scheduled maintenance - so they're not panicked that we've disappeared or anything - give them a time for when everything will be back up, apologise for the inconvenience. That sort of thing.
For HTTP, this is easy to set up. I create the "maintenance mode" HTML page and then have it that the default virtualhost - the catch all - shows this page upon any request made to the server.
So that any HTTP links to any of the virtual hosts on our servers will match this and show the temporary "service unavailable" message.
But HTTPS has me a little stumped, because the host name has to match the SSL certificate to avoid the browser throwing up security warnings.
What I want is a default SSL "catch all" that'll match any host name - because none of the virtual hosts are actually up on this temporary server - and then redirect to the HTTP maintenance message.
I gave this a go:
<VirtualHost *:443>
ServerName catch-all
ServerAlias *
RedirectMatch ^(.*)$ http://%SERVER_NAME/
</VirtualHost>
But I'm getting "the site can't provide a secure connection" in Chrome (ERR_SSL_PROTOCOL_ERROR) and curl is complaining about "ssl wrong version".
I need it so that if someone follows a HTTPS link to something on our servers, it's all redirected to the HTTP "maintenance" page.
Can a server "cancel" the SSL handshake and redirect to HTTP like this?
apache-2.4 https redirect http
asked Apr 8 at 11:29
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
We're going to have to temporarily shutdown our servers, as they need to be physically moved and put onto a better UPS.
I don't want to just have "can't connect" errors come up for our users, and I have another smaller server box that I thought could display a "maintenance mode" message.
Reassure them that this is scheduled maintenance - so they're not panicked that we've disappeared or anything - give them a time for when everything will be back up, apologise for the inconvenience. That sort of thing.
For HTTP, this is easy to set up. I create the "maintenance mode" HTML page and then have it that the default virtualhost - the catch all - shows this page upon any request made to the server.
So that any HTTP links to any of the virtual hosts on our servers will match this and show the temporary "service unavailable" message.
But HTTPS has me a little stumped, because the host name has to match the SSL certificate to avoid the browser throwing up security warnings.
What I want is a default SSL "catch all" that'll match any host name - because none of the virtual hosts are actually up on this temporary server - and then redirect to the HTTP maintenance message.
I gave this a go:
<VirtualHost *:443>
ServerName catch-all
ServerAlias *
RedirectMatch ^(.*)$ http://%SERVER_NAME/
</VirtualHost>
But I'm getting "the site can't provide a secure connection" in Chrome (ERR_SSL_PROTOCOL_ERROR) and curl is complaining about "ssl wrong version".
I need it so that if someone follows a HTTPS link to something on our servers, it's all redirected to the HTTP "maintenance" page.
Can a server "cancel" the SSL handshake and redirect to HTTP like this?
apache-2.4 https redirect http
apache-2.4 https redirect http
asked Apr 8 at 11:29
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 8 at 11:29
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 8 at 11:29
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 8 at 11:29
BobBob
31
asked Apr 8 at 11:29
BobBob
31
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
The problem is essentially that SSL connection needs to be successfully established before you even can sent HTTP protocol messages. That requires that your temporary server has valid certificates for all URL's that you use - in which case you won't need to redirect to http any more and can simply sent a pretty 503 response over https
– HBruijn
Apr 8 at 12:58
You already have an SSL certificate, just use that!
– Michael Hampton♦
Apr 8 at 13:25
@HBruijn Yes, it looks like I'll have to recreate all the virtual hosts on the outage server, using their respective SSL certificates, and have them all use the same "DocumentRoot" instead. I was hoping to avoid that, as we have a good dozen vhosts to cover but I guess SSL means it's the only way.
– Bob
Apr 8 at 15:35
add a comment |
1
The problem is essentially that SSL connection needs to be successfully established before you even can sent HTTP protocol messages. That requires that your temporary server has valid certificates for all URL's that you use - in which case you won't need to redirect to http any more and can simply sent a pretty 503 response over https
– HBruijn
Apr 8 at 12:58
You already have an SSL certificate, just use that!
– Michael Hampton♦
Apr 8 at 13:25
@HBruijn Yes, it looks like I'll have to recreate all the virtual hosts on the outage server, using their respective SSL certificates, and have them all use the same "DocumentRoot" instead. I was hoping to avoid that, as we have a good dozen vhosts to cover but I guess SSL means it's the only way.
– Bob
Apr 8 at 15:35
1
1
The problem is essentially that SSL connection needs to be successfully established before you even can sent HTTP protocol messages. That requires that your temporary server has valid certificates for all URL's that you use - in which case you won't need to redirect to http any more and can simply sent a pretty 503 response over https
– HBruijn
Apr 8 at 12:58
The problem is essentially that SSL connection needs to be successfully established before you even can sent HTTP protocol messages. That requires that your temporary server has valid certificates for all URL's that you use - in which case you won't need to redirect to http any more and can simply sent a pretty 503 response over https
– HBruijn
Apr 8 at 12:58
You already have an SSL certificate, just use that!
– Michael Hampton♦
Apr 8 at 13:25
You already have an SSL certificate, just use that!
– Michael Hampton♦
Apr 8 at 13:25
@HBruijn Yes, it looks like I'll have to recreate all the virtual hosts on the outage server, using their respective SSL certificates, and have them all use the same "DocumentRoot" instead. I was hoping to avoid that, as we have a good dozen vhosts to cover but I guess SSL means it's the only way.
– Bob
Apr 8 at 15:35
@HBruijn Yes, it looks like I'll have to recreate all the virtual hosts on the outage server, using their respective SSL certificates, and have them all use the same "DocumentRoot" instead. I was hoping to avoid that, as we have a good dozen vhosts to cover but I guess SSL means it's the only way.
– Bob
Apr 8 at 15:35
add a comment |
3 Answers
3
active
oldest
votes
Use the existing certificates of the services to set up name based virtual hosts, with document roots containing the outage messages. TLS Server Name Indication support allows you to have different SSL configuration directives, including different certificates, per vhost.
If such outages are a problem for your organization, consider removing single points of failure from your design. Web servers in different racks, behind a clustered load balancer, all with dual power supplies on different circuits, remote hosted outage messages. This can get expensive, so choose the redundancy appropriate for your service availability objectives.
answered Apr 8 at 14:52
John MahowaldJohn Mahowald
8,7411713
We do have multiple web servers behind a load balancer - and I've set up link aggregation for all network links (except for the dedicated symmetric fibre optic line coming from our ISP, but we have an SLA on that, guaranteeing service or they owe us money per hour it's down), plus each service (web, email, cloud) is separated onto different storage servers.
– Bob
Apr 8 at 15:17
The server box in question is to be the remote hosted outage message (but I have to set that up). Basically, I've been removing single points of failure as much as I can. This outage, ironically, is part of that - the whole server cabinet needs to be physically moved to put it all onto proper UPS. I've done as much as I can to eliminate single points of failure within the constraints of the budget I'm given.
– Bob
Apr 8 at 15:24
Definitely, sometimes improvements require a maintenance window. Your question wasn't clear you had a load balancer and multiple app servers to work with. If those span racks and/or power feeds, you might be able to fail over with minimal downtime. But sometimes you just don't have the redundancy, which is fine for many services.
– John Mahowald
Apr 8 at 17:38
Yeah, they don't currently span power feeds sufficiently to avoid some shutdown. That's the underlying point of the move, to fix this situation. Basically, the cluster has been gradually added to in an ad-hoc way - as it has slowly funded its own expansion - but this has left some earlier choices, done to just make things initially work, now inadequate going forward. I regret the shutdown - the first we've ever done in a few years of operation - but it's to re-jig things so that it should never be needed ever again.
– Bob
2 days ago
add a comment |
Technically your issue could be solved using a wildcard certificate (*.domain.com). It may be possible to manually generate one using the Let's Encrypt DNS certificate request method (https://letsencrypt.org/how-it-works/) even if your DNS provider doesn't provide an API that can be used for automatically creating TXT records as required for long-term use.
As for your suggested workaround:
If you are using the HTTP Strict Transport Security header (HSTS) - which you really should - then client browsers will refuse to acknowledge a HTTP-only site that turns up in lieu of a previously known HTTPS one; so that shouldn't be a valid option.
answered Apr 8 at 11:52
Mikael HMikael H
801210
I have a wildcard for our own domain name's services, but we also host some websites with completely different domain names, so our wildcard won't cover those. And, yes, our cloud service (via Nextcloud) does use HSTS, so it won't be a valid option.
– Bob
Apr 8 at 15:30
add a comment |
Following HBruijn and John Mahowald's advice, I'm just going to set up the virtual hosts on the outage server with their respective SSL certificates, but all with a "DocumentRoot /var/www/html" to serve the maintenance page.
This is more work - which I'd hoped to avoid by a "catch all", as every single virtual host will be serving the exact same content - but SSL doesn't easily permit that.
And I was also thinking that, in future, should this be needed again and we have more virtual hosts then the "catch all" idea would have kept on working, without me having to manually add any new virtual hosts to the outage server each time.
If it were possible, then it would have made more sense. But it's not, because of how SSL works, so I'll just have to do it all manually.
Well, hopefully, the outage server will rarely, if ever, be called on again.
answered Apr 8 at 19:38
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Bob is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962011%2fapache-ssl-catch-all-for-maintenance%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Use the existing certificates of the services to set up name based virtual hosts, with document roots containing the outage messages. TLS Server Name Indication support allows you to have different SSL configuration directives, including different certificates, per vhost.
If such outages are a problem for your organization, consider removing single points of failure from your design. Web servers in different racks, behind a clustered load balancer, all with dual power supplies on different circuits, remote hosted outage messages. This can get expensive, so choose the redundancy appropriate for your service availability objectives.
answered Apr 8 at 14:52
John MahowaldJohn Mahowald
8,7411713
We do have multiple web servers behind a load balancer - and I've set up link aggregation for all network links (except for the dedicated symmetric fibre optic line coming from our ISP, but we have an SLA on that, guaranteeing service or they owe us money per hour it's down), plus each service (web, email, cloud) is separated onto different storage servers.
– Bob
Apr 8 at 15:17
The server box in question is to be the remote hosted outage message (but I have to set that up). Basically, I've been removing single points of failure as much as I can. This outage, ironically, is part of that - the whole server cabinet needs to be physically moved to put it all onto proper UPS. I've done as much as I can to eliminate single points of failure within the constraints of the budget I'm given.
– Bob
Apr 8 at 15:24
Definitely, sometimes improvements require a maintenance window. Your question wasn't clear you had a load balancer and multiple app servers to work with. If those span racks and/or power feeds, you might be able to fail over with minimal downtime. But sometimes you just don't have the redundancy, which is fine for many services.
– John Mahowald
Apr 8 at 17:38
Yeah, they don't currently span power feeds sufficiently to avoid some shutdown. That's the underlying point of the move, to fix this situation. Basically, the cluster has been gradually added to in an ad-hoc way - as it has slowly funded its own expansion - but this has left some earlier choices, done to just make things initially work, now inadequate going forward. I regret the shutdown - the first we've ever done in a few years of operation - but it's to re-jig things so that it should never be needed ever again.
– Bob
2 days ago
add a comment |
Use the existing certificates of the services to set up name based virtual hosts, with document roots containing the outage messages. TLS Server Name Indication support allows you to have different SSL configuration directives, including different certificates, per vhost.
If such outages are a problem for your organization, consider removing single points of failure from your design. Web servers in different racks, behind a clustered load balancer, all with dual power supplies on different circuits, remote hosted outage messages. This can get expensive, so choose the redundancy appropriate for your service availability objectives.
answered Apr 8 at 14:52
John MahowaldJohn Mahowald
8,7411713
We do have multiple web servers behind a load balancer - and I've set up link aggregation for all network links (except for the dedicated symmetric fibre optic line coming from our ISP, but we have an SLA on that, guaranteeing service or they owe us money per hour it's down), plus each service (web, email, cloud) is separated onto different storage servers.
– Bob
Apr 8 at 15:17
The server box in question is to be the remote hosted outage message (but I have to set that up). Basically, I've been removing single points of failure as much as I can. This outage, ironically, is part of that - the whole server cabinet needs to be physically moved to put it all onto proper UPS. I've done as much as I can to eliminate single points of failure within the constraints of the budget I'm given.
– Bob
Apr 8 at 15:24
Definitely, sometimes improvements require a maintenance window. Your question wasn't clear you had a load balancer and multiple app servers to work with. If those span racks and/or power feeds, you might be able to fail over with minimal downtime. But sometimes you just don't have the redundancy, which is fine for many services.
– John Mahowald
Apr 8 at 17:38
Yeah, they don't currently span power feeds sufficiently to avoid some shutdown. That's the underlying point of the move, to fix this situation. Basically, the cluster has been gradually added to in an ad-hoc way - as it has slowly funded its own expansion - but this has left some earlier choices, done to just make things initially work, now inadequate going forward. I regret the shutdown - the first we've ever done in a few years of operation - but it's to re-jig things so that it should never be needed ever again.
– Bob
2 days ago
add a comment |
Use the existing certificates of the services to set up name based virtual hosts, with document roots containing the outage messages. TLS Server Name Indication support allows you to have different SSL configuration directives, including different certificates, per vhost.
If such outages are a problem for your organization, consider removing single points of failure from your design. Web servers in different racks, behind a clustered load balancer, all with dual power supplies on different circuits, remote hosted outage messages. This can get expensive, so choose the redundancy appropriate for your service availability objectives.
answered Apr 8 at 14:52
John MahowaldJohn Mahowald
8,7411713
Use the existing certificates of the services to set up name based virtual hosts, with document roots containing the outage messages. TLS Server Name Indication support allows you to have different SSL configuration directives, including different certificates, per vhost.
If such outages are a problem for your organization, consider removing single points of failure from your design. Web servers in different racks, behind a clustered load balancer, all with dual power supplies on different circuits, remote hosted outage messages. This can get expensive, so choose the redundancy appropriate for your service availability objectives.
answered Apr 8 at 14:52
John MahowaldJohn Mahowald
8,7411713
answered Apr 8 at 14:52
John MahowaldJohn Mahowald
8,7411713
answered Apr 8 at 14:52
John MahowaldJohn Mahowald
8,7411713
answered Apr 8 at 14:52
John MahowaldJohn Mahowald
8,7411713
8,7411713
We do have multiple web servers behind a load balancer - and I've set up link aggregation for all network links (except for the dedicated symmetric fibre optic line coming from our ISP, but we have an SLA on that, guaranteeing service or they owe us money per hour it's down), plus each service (web, email, cloud) is separated onto different storage servers.
– Bob
Apr 8 at 15:17
The server box in question is to be the remote hosted outage message (but I have to set that up). Basically, I've been removing single points of failure as much as I can. This outage, ironically, is part of that - the whole server cabinet needs to be physically moved to put it all onto proper UPS. I've done as much as I can to eliminate single points of failure within the constraints of the budget I'm given.
– Bob
Apr 8 at 15:24
Definitely, sometimes improvements require a maintenance window. Your question wasn't clear you had a load balancer and multiple app servers to work with. If those span racks and/or power feeds, you might be able to fail over with minimal downtime. But sometimes you just don't have the redundancy, which is fine for many services.
– John Mahowald
Apr 8 at 17:38
Yeah, they don't currently span power feeds sufficiently to avoid some shutdown. That's the underlying point of the move, to fix this situation. Basically, the cluster has been gradually added to in an ad-hoc way - as it has slowly funded its own expansion - but this has left some earlier choices, done to just make things initially work, now inadequate going forward. I regret the shutdown - the first we've ever done in a few years of operation - but it's to re-jig things so that it should never be needed ever again.
– Bob
2 days ago
add a comment |
We do have multiple web servers behind a load balancer - and I've set up link aggregation for all network links (except for the dedicated symmetric fibre optic line coming from our ISP, but we have an SLA on that, guaranteeing service or they owe us money per hour it's down), plus each service (web, email, cloud) is separated onto different storage servers.
– Bob
Apr 8 at 15:17
The server box in question is to be the remote hosted outage message (but I have to set that up). Basically, I've been removing single points of failure as much as I can. This outage, ironically, is part of that - the whole server cabinet needs to be physically moved to put it all onto proper UPS. I've done as much as I can to eliminate single points of failure within the constraints of the budget I'm given.
– Bob
Apr 8 at 15:24
Definitely, sometimes improvements require a maintenance window. Your question wasn't clear you had a load balancer and multiple app servers to work with. If those span racks and/or power feeds, you might be able to fail over with minimal downtime. But sometimes you just don't have the redundancy, which is fine for many services.
– John Mahowald
Apr 8 at 17:38
Yeah, they don't currently span power feeds sufficiently to avoid some shutdown. That's the underlying point of the move, to fix this situation. Basically, the cluster has been gradually added to in an ad-hoc way - as it has slowly funded its own expansion - but this has left some earlier choices, done to just make things initially work, now inadequate going forward. I regret the shutdown - the first we've ever done in a few years of operation - but it's to re-jig things so that it should never be needed ever again.
– Bob
2 days ago
We do have multiple web servers behind a load balancer - and I've set up link aggregation for all network links (except for the dedicated symmetric fibre optic line coming from our ISP, but we have an SLA on that, guaranteeing service or they owe us money per hour it's down), plus each service (web, email, cloud) is separated onto different storage servers.
– Bob
Apr 8 at 15:17
We do have multiple web servers behind a load balancer - and I've set up link aggregation for all network links (except for the dedicated symmetric fibre optic line coming from our ISP, but we have an SLA on that, guaranteeing service or they owe us money per hour it's down), plus each service (web, email, cloud) is separated onto different storage servers.
– Bob
Apr 8 at 15:17
The server box in question is to be the remote hosted outage message (but I have to set that up). Basically, I've been removing single points of failure as much as I can. This outage, ironically, is part of that - the whole server cabinet needs to be physically moved to put it all onto proper UPS. I've done as much as I can to eliminate single points of failure within the constraints of the budget I'm given.
– Bob
Apr 8 at 15:24
The server box in question is to be the remote hosted outage message (but I have to set that up). Basically, I've been removing single points of failure as much as I can. This outage, ironically, is part of that - the whole server cabinet needs to be physically moved to put it all onto proper UPS. I've done as much as I can to eliminate single points of failure within the constraints of the budget I'm given.
– Bob
Apr 8 at 15:24
Definitely, sometimes improvements require a maintenance window. Your question wasn't clear you had a load balancer and multiple app servers to work with. If those span racks and/or power feeds, you might be able to fail over with minimal downtime. But sometimes you just don't have the redundancy, which is fine for many services.
– John Mahowald
Apr 8 at 17:38
Definitely, sometimes improvements require a maintenance window. Your question wasn't clear you had a load balancer and multiple app servers to work with. If those span racks and/or power feeds, you might be able to fail over with minimal downtime. But sometimes you just don't have the redundancy, which is fine for many services.
– John Mahowald
Apr 8 at 17:38
Yeah, they don't currently span power feeds sufficiently to avoid some shutdown. That's the underlying point of the move, to fix this situation. Basically, the cluster has been gradually added to in an ad-hoc way - as it has slowly funded its own expansion - but this has left some earlier choices, done to just make things initially work, now inadequate going forward. I regret the shutdown - the first we've ever done in a few years of operation - but it's to re-jig things so that it should never be needed ever again.
– Bob
2 days ago
Yeah, they don't currently span power feeds sufficiently to avoid some shutdown. That's the underlying point of the move, to fix this situation. Basically, the cluster has been gradually added to in an ad-hoc way - as it has slowly funded its own expansion - but this has left some earlier choices, done to just make things initially work, now inadequate going forward. I regret the shutdown - the first we've ever done in a few years of operation - but it's to re-jig things so that it should never be needed ever again.
– Bob
2 days ago
add a comment |
Technically your issue could be solved using a wildcard certificate (*.domain.com). It may be possible to manually generate one using the Let's Encrypt DNS certificate request method (https://letsencrypt.org/how-it-works/) even if your DNS provider doesn't provide an API that can be used for automatically creating TXT records as required for long-term use.
As for your suggested workaround:
If you are using the HTTP Strict Transport Security header (HSTS) - which you really should - then client browsers will refuse to acknowledge a HTTP-only site that turns up in lieu of a previously known HTTPS one; so that shouldn't be a valid option.
answered Apr 8 at 11:52
Mikael HMikael H
801210
I have a wildcard for our own domain name's services, but we also host some websites with completely different domain names, so our wildcard won't cover those. And, yes, our cloud service (via Nextcloud) does use HSTS, so it won't be a valid option.
– Bob
Apr 8 at 15:30
add a comment |
Technically your issue could be solved using a wildcard certificate (*.domain.com). It may be possible to manually generate one using the Let's Encrypt DNS certificate request method (https://letsencrypt.org/how-it-works/) even if your DNS provider doesn't provide an API that can be used for automatically creating TXT records as required for long-term use.
As for your suggested workaround:
If you are using the HTTP Strict Transport Security header (HSTS) - which you really should - then client browsers will refuse to acknowledge a HTTP-only site that turns up in lieu of a previously known HTTPS one; so that shouldn't be a valid option.
answered Apr 8 at 11:52
Mikael HMikael H
801210
I have a wildcard for our own domain name's services, but we also host some websites with completely different domain names, so our wildcard won't cover those. And, yes, our cloud service (via Nextcloud) does use HSTS, so it won't be a valid option.
– Bob
Apr 8 at 15:30
add a comment |
Technically your issue could be solved using a wildcard certificate (*.domain.com). It may be possible to manually generate one using the Let's Encrypt DNS certificate request method (https://letsencrypt.org/how-it-works/) even if your DNS provider doesn't provide an API that can be used for automatically creating TXT records as required for long-term use.
As for your suggested workaround:
If you are using the HTTP Strict Transport Security header (HSTS) - which you really should - then client browsers will refuse to acknowledge a HTTP-only site that turns up in lieu of a previously known HTTPS one; so that shouldn't be a valid option.
answered Apr 8 at 11:52
Mikael HMikael H
801210
Technically your issue could be solved using a wildcard certificate (*.domain.com). It may be possible to manually generate one using the Let's Encrypt DNS certificate request method (https://letsencrypt.org/how-it-works/) even if your DNS provider doesn't provide an API that can be used for automatically creating TXT records as required for long-term use.
As for your suggested workaround:
If you are using the HTTP Strict Transport Security header (HSTS) - which you really should - then client browsers will refuse to acknowledge a HTTP-only site that turns up in lieu of a previously known HTTPS one; so that shouldn't be a valid option.
answered Apr 8 at 11:52
Mikael HMikael H
801210
answered Apr 8 at 11:52
Mikael HMikael H
801210
answered Apr 8 at 11:52
Mikael HMikael H
801210
answered Apr 8 at 11:52
Mikael HMikael H
801210
801210
I have a wildcard for our own domain name's services, but we also host some websites with completely different domain names, so our wildcard won't cover those. And, yes, our cloud service (via Nextcloud) does use HSTS, so it won't be a valid option.
– Bob
Apr 8 at 15:30
add a comment |
I have a wildcard for our own domain name's services, but we also host some websites with completely different domain names, so our wildcard won't cover those. And, yes, our cloud service (via Nextcloud) does use HSTS, so it won't be a valid option.
– Bob
Apr 8 at 15:30
I have a wildcard for our own domain name's services, but we also host some websites with completely different domain names, so our wildcard won't cover those. And, yes, our cloud service (via Nextcloud) does use HSTS, so it won't be a valid option.
– Bob
Apr 8 at 15:30
I have a wildcard for our own domain name's services, but we also host some websites with completely different domain names, so our wildcard won't cover those. And, yes, our cloud service (via Nextcloud) does use HSTS, so it won't be a valid option.
– Bob
Apr 8 at 15:30
add a comment |
Following HBruijn and John Mahowald's advice, I'm just going to set up the virtual hosts on the outage server with their respective SSL certificates, but all with a "DocumentRoot /var/www/html" to serve the maintenance page.
This is more work - which I'd hoped to avoid by a "catch all", as every single virtual host will be serving the exact same content - but SSL doesn't easily permit that.
And I was also thinking that, in future, should this be needed again and we have more virtual hosts then the "catch all" idea would have kept on working, without me having to manually add any new virtual hosts to the outage server each time.
If it were possible, then it would have made more sense. But it's not, because of how SSL works, so I'll just have to do it all manually.
Well, hopefully, the outage server will rarely, if ever, be called on again.
answered Apr 8 at 19:38
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Following HBruijn and John Mahowald's advice, I'm just going to set up the virtual hosts on the outage server with their respective SSL certificates, but all with a "DocumentRoot /var/www/html" to serve the maintenance page.
This is more work - which I'd hoped to avoid by a "catch all", as every single virtual host will be serving the exact same content - but SSL doesn't easily permit that.
And I was also thinking that, in future, should this be needed again and we have more virtual hosts then the "catch all" idea would have kept on working, without me having to manually add any new virtual hosts to the outage server each time.
If it were possible, then it would have made more sense. But it's not, because of how SSL works, so I'll just have to do it all manually.
Well, hopefully, the outage server will rarely, if ever, be called on again.
answered Apr 8 at 19:38
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Following HBruijn and John Mahowald's advice, I'm just going to set up the virtual hosts on the outage server with their respective SSL certificates, but all with a "DocumentRoot /var/www/html" to serve the maintenance page.
This is more work - which I'd hoped to avoid by a "catch all", as every single virtual host will be serving the exact same content - but SSL doesn't easily permit that.
And I was also thinking that, in future, should this be needed again and we have more virtual hosts then the "catch all" idea would have kept on working, without me having to manually add any new virtual hosts to the outage server each time.
If it were possible, then it would have made more sense. But it's not, because of how SSL works, so I'll just have to do it all manually.
Well, hopefully, the outage server will rarely, if ever, be called on again.
answered Apr 8 at 19:38
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Following HBruijn and John Mahowald's advice, I'm just going to set up the virtual hosts on the outage server with their respective SSL certificates, but all with a "DocumentRoot /var/www/html" to serve the maintenance page.
This is more work - which I'd hoped to avoid by a "catch all", as every single virtual host will be serving the exact same content - but SSL doesn't easily permit that.
And I was also thinking that, in future, should this be needed again and we have more virtual hosts then the "catch all" idea would have kept on working, without me having to manually add any new virtual hosts to the outage server each time.
If it were possible, then it would have made more sense. But it's not, because of how SSL works, so I'll just have to do it all manually.
Well, hopefully, the outage server will rarely, if ever, be called on again.
answered Apr 8 at 19:38
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 8 at 19:38
BobBob
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 8 at 19:38
BobBob
31
answered Apr 8 at 19:38
BobBob
31
31
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Bob is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Bob is a new contributor. Be nice, and check out our Code of Conduct.
Bob is a new contributor. Be nice, and check out our Code of Conduct.
Bob is a new contributor. Be nice, and check out our Code of Conduct.
Bob is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962011%2fapache-ssl-catch-all-for-maintenance%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
The problem is essentially that SSL connection needs to be successfully established before you even can sent HTTP protocol messages. That requires that your temporary server has valid certificates for all URL's that you use - in which case you won't need to redirect to http any more and can simply sent a pretty 503 response over https
– HBruijn
Apr 8 at 12:58
You already have an SSL certificate, just use that!
– Michael Hampton♦
Apr 8 at 13:25
@HBruijn Yes, it looks like I'll have to recreate all the virtual hosts on the outage server, using their respective SSL certificates, and have them all use the same "DocumentRoot" instead. I was hoping to avoid that, as we have a good dozen vhosts to cover but I guess SSL means it's the only way.
– Bob
Apr 8 at 15:35