Server 5.0.4 Default Ports Changes

Hi,

Server 5 uses a reverse proxy (front end) which stands in front of various http-based network services, which I will refer to as backend services. In this configuration, a single apache config is used to handle all of the incoming requests from other hosts - apache_serviceproxy.conf. Incoming requests are reverse proxied to back end services, based on the request URI and whether a given back end service is enabled or disabled.

To create a custom vhost, click the + button under the websites list in Server.app. Define the vhost the same as in previous releases; using some unique combination of domain name, IP address, and port. When you save the site, a new config file will be written into /Library/Server/Web/Config/apache2/sites. The vhost you just created won't be served by an apache instance that's listening on ports reachable from other hosts, but that's OK because the reverse proxy will be ready to proxy those requests to your new vhost, based on configuration that Server adds to /Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites.conf.

One possible reason that your previously created vhosts aren't working might be that those configs are not meant to be behind a reverse proxy. In theory, custom sites that you had created in previous versions of Server should have been converted at upgrade time, but any hand-written / edited configs might not be handled automatically. In this case, you may need to edit those files to look similar to a custom site created by Server 5, or just re-create them from scratch using the Server UI.

I would not recommend trying to 'undo' the reverse proxy setup in Server 5. Hopefully I've explained how you can still add your own custom sites in a way that integrates with the new Server 5 reverse proxy setup. Also, take extreme caution when editing any files that you didn't create. Doing things in the apache config that aren't supported by the UI often causes issues down the road, because the upgrade / migration scripts can't anticipate all the possibilities of a hand-edited config.

Hope this helps.

Cheers,

-dre

Hi , I have similar problems. After upgrading to the 5.0.4 version my all sites are automatically redirected to SSL version of the pages, which doesn't exists and then the system choose any Ssl site he can find. I have deleted the SSL site which system choose instead, but this is still showing.

Please can you help me what should I do?

Im not so familiar with background setting. I used always only the Server.app, so please the me exactly where shovel i look and what i need to change.

Thanks.

Would it be possible for someone to produce a cheat sheet on addressing the issues with v5 redirecting SSL sites?

I have read through all the threads I can find on this topic and still cannot find a solution. It seems that many of us rely on the Server app (I know I do) to 'just work' and drilling into the background to get it to work again is maddening and confusing. As far as I am able to tell all the files are as they should be (dreness' explanation above makes perfect sense), but I still cannot get this to work.

My next approach will be to delete the SSL certificate for the site and have it reissued and reinstall it, perhaps that will work?

Any guidance GREATLY appreciated.

😟

Mac mini (Late 2014) / 3 GHz Intel Core i7 / 16GB RAM (colo)

OSX 10.11.1 (El Capitan beta) - [updated to try to fix issue]

Server 5.0.4

Apache 2.2

PHP 5.5.29

Hi,

Alfista_SK, it's not clear that you're having the same problem as the original poster in this thread. Requests to the "Server Website" are automatically redirected to SSL, and this shouldn't be disabled because the 'server website' is the one that hosts various built-in services that *should* use SSL. However it is still possible to use a non-SSL site to serve your own content, but you need to use a different domain name than the server's primary hostname for this to work, so the server can tell the difference between requests to the 'server website' and your custom site.

-dre

Hi Grady,

The two main issues I'm aware of involving redirects in Server 5 are:

Relative redirects

If your site uses relative redirects such as:

RewriteRule ^([^/\.]+)/([^/\.]+)/ /foo/ [R=301,L]

you will need to update the redirect to take into account the server name and protocol - this is because in the reverse proxy config, both the name and protocol change as the request traverses the proxy. An updated version of the above redirect might look like:

RewriteRule ^([^/\.]+)/([^/\.]+)/ %{HTTP:X-FORWARDED-PROTO}://%{SERVER_NAME}/foo/ [R=301,L]

Protocol relative redirects (too many redirects)

Rewrite rules that test the protocol on which the request arrived will have to be updated for Server 5, due again to the new reverse proxy configuration. For example, if your site has configuration like:

RewriteCond %{HTTPS} off

RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=302,L]

That could be updated to check the *forwarded* protocol - something like:

RewriteCond %{HTTP:X-Forwarded-Proto} !=https

RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=302,L]

Cheers,

-dre

I have two SSL sites on my server; one is at 'Default' the other is on a separate IP.

The one on the separate IP will not show as ACTIVE; meaning the green button is not lit and it just resolves to 'Default.' Also the MX record for that domain reports 'Users may not be able to access domain from the Internet.'

I have been able to add additional domains to the server successfully, there is just something stuck in the configuration for the one other SSL site that will not update.

I have attempted to delete the domain and SSL entirely and recreate it in Server -- no luck.

This seems similar to what #Mo-Zack originally reported above. Perhaps I am on the wrong track?

I have been looking for a way to downgrade also as that has been discussed as a viable solutions, but alas, Apple has removed v4 from everywhere I have looked.

Alfista_SK wrote:

Hi , I have similar problems. After upgrading to the 5.0.4 version my all sites are automatically redirected to SSL version of the pages, which doesn't exists and then the system choose any Ssl site he can find. I have deleted the SSL site which system choose instead, but this is still showing.

This is probably a separate question from the base question, and these changes are part of a very large effort to increase the security of the whole Internet. Beyond the servers, updates for OS X and iOS application clients are or will intentionally be seeking TLS connections, in preference to insecure connections. Best to get a certificate. Or if this is a private network and you don't want to spend for the commercial certificate, either create your own certificate authority and generate your own certs (involves learning more about how certs work), or just accept the locally-generated certificate when first connecting to the server.

Hi Mo-zack,

If you have a complex reverse proxy configuration, then adapting that configuration to Server 5 will probably take some work. The general tradeoff is: the GUI provides an easy-to-use way to set up basic / commonly used configurations, and you should generally expect that anything configured purely by the GUI should be maintained for you by Server, which means those configurations should be automatically updated to adapt to changes in newer Server versions. On the flip side, doing things with Server that can't be done with the GUI (I'm assuming your configuration falls into this category) requires a deeper understanding of the configuration, and usually requires more work than a pure GUI configuration. Additionally, because those configurations might contain elements not supported by the GUI, there is risk of breakage when a newer version comes along that is substantially different, because the upgrade scripts don't account for those unsupported elements. Sometimes even if everything is done in the GUI, there are bugs that can cause breakage, which is why testing and backups are important.

Getting your configurations to work in Server 5 is probably the same scale of work as it was for Server 4, it's just that now you have an environment based on a different set of assumptions, so the configurations needs to account for those differences. I suspect that your configs can be adapted for Server 5, but whether that's a worthwhile effort for you is something only you can decide. If you do attempt this, I would suggest taking time to learn the ins and outs of the 'webapps' mechanism, as that is probably the best place to define web service configurations that are supported by Apple. If you want to roll back to Server 4, plucking Server.app out of a backup should do the trick, although you may want to get a clean slate by removing Server and moving /Library/Server aside before running Server 4 and re-introducing your custom config and site resources. If you instead choose to use a different server platform, there will be more 'manual labor' involved at every turn, in exchange for a much more explicitly defined environment that changes less frequently than Server changes.

Hope this helps,

-dre

I just wanted to say again that #dreness' post was the most on-point that I found that helped me see the big picture of what the Server app was doing which helped me solve this redirect business. I am not sure exactly what I did to finally get it working, but all is finally well.

Thanks -dre!!!

Hi Grady,

Glad it helped!

Cheers,

-dre

Hi, I'm unable to use any site, while Im from normal site always redirected to any SSL. I have some SSL sites and doesn't help deleting this sites, while I was still redirected, but now there was nothing. And each of my site has his own host name and I don't use the primary servers name.

I tried to downgrade, but it broke complete server, nothing has work on it. I was needed to restore it from Time Machine backup but it need fully new and clean install. The Server app V5 has done more damages as we see on the first time.

I use certificates on sites, that need it, but some sites are free and don't need to have so big security.

But it fully destroyed sites settings and somewhere muted the redirecting. Maybe by clean install with the El Capitan will it work correctly, but after update not.