http and https pointing to 2 different sites

This is a bit strange for my single server ISPconfig setup (Ubuntu 16.10 and apache)...
Everything working OK until I created a client for a friend (he was the first client I created as admin). I gave the server IP and he did something on his side with his domain registrar worldnic.com
Then this morning I started to see strange behaviors with my sites such as angelright.com and angelrights.com - if I access them from HTTPS then I have no problem seeing what should be seen. However, if I access them from HTTP then both redirect to my friend's website fishcafe.org
I did create my own private DNS ns1.angelright.com and ns2.angelright.com (pointing to the same server IP) and I could let him use these and hopefully that could solve the problem.
But this still leaves a hole for others to hijack all my sites as one can easily find the site IP. I tried turning on Rewrite HTTP to HTTPS for domain resirect, but this does not help.
So why this? How could I solve this problem?

 

OK, I can replicate this with other sites. Basically, all domains with A records point to the server IP end up going to my friend's site!
Haaaaa, very strange.
I am testing site angelrite.com using my private DNS ns1.angelright.com and ns2.angelright.com - waiting for the new setting to be resolved, See what will happen.
But right now the loop hole has to be fixed :-(
My friend's site docoment root is /var/www/clients/client1/web4

 

I wonder if it has something to do with DNS Zone settings.
Initially, I did not set any DNS Zone and just created the first client, who was my friend. And then I created a bunch of my sites on the server.
After some glitches here and there, I started to realize that I needed to set a DNS Zone and private DNS. So, setting DNS Zones after creating websites is the root of this problem?
Do I have to set a DNS Zone for each website? I read and re-read the PDF manual many times, no where it says anything about the sequence of operations concerning website creation.

 

I read some posts saying that one must create a domain zone before creating the first website. But what about the second and more websites? Creating a DNS Zone for each additional website before adding that website to server? Confused.

 

I found this post which helps:
https://www.howtoforge.com/community/threads/ispconfig-serving-wrong-site-over-https.71473/
And I set up a dummy website 000dummy.com accordingly. But then new issue comes out...
Every time I modify a website setting, the site is not showing up, which takes in its place is the index.html file for this dummy site.

 

Anyone who can help?
Strange that I could not find any material to straighten this thing up.

 

With Let's Encrypt built in ISPconfig, I want all my sites to be accessed via https but none of the methods I have found so works. Not even with ISPconfig built in Rewrite HTTP to HTTPS setting for a particular site. I also tried methods given here, none worked:
https://www.howtoforge.com/community/threads/http-to-https-redirection.44209/

 

I think you don't need any dummy vhost if all your sites within the same ip are secured with https / ssl. I am not sure about Apache vhost settings, but in Nginx, to ensure all secured sites are going exactly to their address (domain) in the browsers, I enabled HSTS in their respective vhost via custom nginx vhost. This way, you won't be proposed or be able to continue to other site, rather than the address (domain) that you typed in your browsers.

 

Great hint. Then how to do it with Apache?
I wonder if it is a DNS Zone setting problem. As right now all sites being accessed via HTTP goes to the dummy site.
Well, I have now removed all DNS Zones. Would that help?
This drives me crazy!

 

Check on how to do it in this discussion but don't forget to enable apache headers module (a2enmod headers) and redirect http to https (via control panel).

The best way to automatically add HSTS line is via copying original vhost from conf folder to conf-custom folder and modify it by inserting that line inside the first <tmpl_if name='ssl_enabled'>. Rewrite to https also can be done in the same, if you know what you are doing.

 

Strange. At least two of the mentioned sites in the previous posts of which I tried to access do work fine i.e. https://angelrights.com and https://fishcafe.org. But I am no sure about the other two sites which one does not work (angelright.com) and the other is showing other site (worldnic.com).

 

It turns out to be partly the DNS Zone problem - basically I have to use the DNS-Wizard to add a DNS Zone for each website I add in ISPconfig. Once I add a DNS Zone, then the website will show in HTTP access. Then I can create SSL and LE SSL for the site so that it can be accessed via HTTPS.
But the problem remains... HTTP accesses to all websites display the 000dummy.com index.html page. See...
https://angelrite.net - this displays the index.html correctly in its own folder
http://angelrite.net - this displays the 000dummy.com index.html
Very strange indeed. Why HTTP access is not working for ALL sites?

 

Well, there is one EXCEPTON, the server domain atlmaster.angelright.com works in both HTTP and HTTPS - see...
http://atlmaster.angelright.com
https://atlmaster.angelright.com
By checking the above, I find different browsers give different results. While Google Chrome and most browsers redirect to the HTTPS right away (this is what I want for all sites!), the Midori browser displays both without redirecting to HTTPS.

 

I supposed that is the normal apache webserver behaviour for single ip if you do not redirect from http to https. I already explain in short if you want to enable HSTS and redirect in reply #10. It is up to you then.

 

I wanted to do that but do not know how. Bill suggests to do it either by adding something into vhost master or do it individually through Apache Derectives for each website.
My understanding is this file is vhost master: /usr/local/ispconfig/server/conf/vhost.conf.master Correct?
Then I run these two commands:

Code:

a2enmod headers
service apache2 restart

But what to add in vhost master? This...

Code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

or this...

Code:

Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Some suggests adding this for each website...

Code:

<If "%{HTTPS} == 'off'">
Redirect permanent / https://somedomain.com/
</If>
<If "%{HTTPS} == 'on'">
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</If>

I tried some of the above but CONFUSED!

 

No. You do not modify the original but make a copy of it to custom folder something like this: cp -a /usr/local/ispconfig/server/conf/vhost.conf.master /usr/local/ispconfig/server/conf-custom/vhost.conf.master

Then you edit the copied file: nano /usr/local/ispconfig/server/conf-custom/vhost.conf.master

In there under the first <tmpl_if name='ssl_enabled'> there are lines for HSTS already which you can uncomment (remove #) to enable it and modify if you like:

Code:

        # <IfModule mod_headers.c>
        # Header always add Strict-Transport-Security "max-age=15768000"
        # </IfModule>

Instead of "max-age=15768000" you can use the suggested "max-age=15768000; includeSubDomains; preload".

Lastly, you can add this modified code of yours above ServerAdmin [email protected]<tmpl_var name='domain'> to automate redirect to https:

Code:

<If "%{HTTPS} == 'off'">
Redirect permanent / https://<tmpl_var name='domain'>/
</If>

 

OK, the odd thing is, like Till said, ISPconfig has built these inside. So why not do everything through ISPconfig? I am confused about the two options below. This?

Or this...

 

OK, I see this in the copied custom vhost master file...

 

Ahrasis, I tried what you suggested, enabled headers (already enabled) and then restart apache2, did not work. Here is my custom vhost master...

Code:

</tmpl_if>
# https://www.howtoforge.com/community/threads/http-and-https-pointing-to-2-different-sites.76165/#post-359111
<If "%{HTTPS} == 'off'">
Redirect permanent / https://<tmpl_var name='domain'>/
</If>
# custom addition ends
                ServerAdmin [email protected]<tmpl_var name='domain'>

                ErrorLog /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log

<tmpl_if name='errordocs'>
                Alias /error/ "<tmpl_var name='web_document_root_www'>/error/"
                ErrorDocument 400 /error/400.html
                ErrorDocument 401 /error/401.html
                ErrorDocument 403 /error/403.html
                ErrorDocument 404 /error/404.html
                ErrorDocument 405 /error/405.html
                ErrorDocument 500 /error/500.html
                ErrorDocument 502 /error/502.html
                ErrorDocument 503 /error/503.html
</tmpl_if>

                <IfModule mod_ssl.c>
<tmpl_if name='ssl_enabled'>
                SSLEngine on
                SSLProtocol All -SSLv2 -SSLv3
                # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-E$
                SSLHonorCipherOrder     on
                <IfModule mod_headers.c>
# https://www.howtoforge.com/community/threads/http-and-https-pointing-to-2-different-sites.76165/#post-359111
                Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
# Custom modified ends here
                </IfModule>