# Apache SSL VHOST can't find cgi-bin [SOLVED]

## Buddha001

Hi,

I'm not sure how long this has been going on, but I just noticed over the weekend that trying to access scripts in my cgi-bin through the default SSL vhost does not work. In my ssl_error_log, I see:

```
[Sun Aug 17 17:56:22 2008] [error] [client 192.168.1.1] File does not exist: /var/www/localhost/htdocs/cgi-bin
```

However, accessing the same script via non-SSL works just fine. I'm pretty much using the default vhost config files:

In /etc/apache2/vhosts.d/00_default_vhost.conf (w/o comments):

```
# Virtual Hosts

<IfDefine DEFAULT_VHOST>

Listen 80

NameVirtualHost *:80

<VirtualHost *:80>

   ServerName www.etumbo.com

   Include /etc/apache2/vhosts.d/default_vhost.include

   <IfModule mpm_peruser_module>

      ServerEnvironment apache apache

   </IfModule>

</VirtualHost>

</IfDefine>

```

In /etc/apache2/vhosts.d/default_vhost.include:

```

ServerAdmin <left out on purpose>

ServerName www.etumbo.com

DocumentRoot "/var/www/localhost/htdocs"

<Directory "/var/www/localhost/htdocs">

   Options Indexes FollowSymLinks Includes ExecCGI

   AllowOverride All

   Order allow,deny

   Allow from all

</Directory>

<IfModule alias_module>

   ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/"

   Alias /audio /mnt/SoundFiles

</IfModule>

<Directory "/var/www/localhost/cgi-bin">

   AllowOverride AuthConfig

#   Options None

   Order allow,deny

   Allow from all

</Directory>

RewriteEngine on

RewriteLog  "|/usr/sbin/cronolog --symlink=/var/log/apache2/ssl_rewrite.log.current /var/log/apache2/%Y/%m/ssl_rewrite.log"

RewriteLogLevel 1

RewriteCond %{SERVER_PORT} ^80$

RewriteRule ^/horde/(.*) https://www.etumbo.com/horde/$1 [L]

RewriteRule ^/webmail/(.*) https://www.etumbo.com/horde/imp/$1 [L]

RewriteRule /webmail$ /webmail/ [L,R]

RewriteRule ^/gallery/(.*) http://gallery.etumbo.com/gallery/$1 [L]

RewriteRule ^/gallery$ http://gallery.etumbo.com [L]

#RewriteRule ^/audio.* http://audio.etumbo.com [L]

#RewriteRule ^/cgi-bin/citypace/(.*) https://www.etumbo.com/cgi-bin/citypace/$1 [L]

ProxyRequests Off

<Proxy *>

   Order deny,allow

   Allow from all

</Proxy>

<LocationMatch "^[^\~]*(\.shtml|\.txt|\.pl)$">

   SetHandler perl-script

   PerlSetVar MasonArgsMethod "CGI"

   PerlHandler HTML::Mason::ApacheHandler

</LocationMatch>

## This removes djdrego portion of the web site from Mason control

<LocationMatch "djdrego\/">

   SetHandler None

</LocationMatch>

<LocationMatch "robots.txt">

   SetHandler None

</LocationMatch>

<LocationMatch "kernel_config_sdiff.txt">

   SetHandler None

</LocationMatch>

<LocationMatch "(PhD\/Work[^\.]*$|PhD\/Work[^\.]\.(.html|txt|pl|desc))">

   PerlSetVar MasonDeclineDirs 0

   SetHandler perl-script

   PerlHandler HTML::Mason::ApacheHandler

</LocationMatch>

<LocationMatch "(\.m(html|txt|pl)|dhandler|autohandler)$">

   SetHandler perl-script

   PerlInitHandler Apache::Constants::NOT_FOUND

</LocationMatch>

<Directory /var/www/localhost/htdocs/PhD>

    DirectoryIndex index.html index.shtml

   

    SetHandler perl-script

    #PerlHandler PhDNotesWiki::AccessHandler

    PerlOptions +GlobalRequest

    Require valid-user 

    PerlAccessHandler PhDNotesWiki::AccessHandler

    AuthType Basic

    AuthName "PhD Notes"

    AuthUserFile "/etc/apache2/PhDNotes.passwd" 

    Require valid-user

</Directory>

<Directory /var/www/localhost/htdocs/albums>

    AllowOverride Options FileInfo

</Directory>

<Location /audio>

    SetHandler perl-script

    PerlHandler Apache::MP3::Resample

    PerlSetVar AllowDownload     "no"

    PerlSetVar CacheDir          "/var/cache/Apache::MP3"

    PerlSetVar DescriptionFormat "%n - %a - %t (%l)"

    PerlSetVar Fields            "track, artist, title, duration, bitrate"

    PerlSetVar SortFields        "description"

    PerlSetVar PathStyle         "Arrows"

    PerlSetVar ResamplePresets   '16 kbps => -b16, \

              56 kbps => -b56, \

                                 128 kbps => -b128, \

                                 160 kbps => -b160'

    PerlSetVar DecompressorPresets '"audio/shorten" => "shorten -x %f -|", \

                           "audio/flac" => "flac -d -c -s %f|"'

    AuthType Basic

    AuthName "Restricted Audio Area"

    AuthUserFile "/etc/apache2/audio.passwd"

    Require valid-user

    Order allow,deny

    Allow from all

</Location>

```

And finally, /etc/apache2/vhosts.d/00_default_ssl_vhost.conf:

```

<IfDefine SSL>

<IfDefine SSL_DEFAULT_VHOST>

<IfModule ssl_module>

Listen *:443

NameVirtualHost *:443

<VirtualHost *:443>

   ServerName www.etumbo.com

   

   Include /etc/apache2/vhosts.d/default_vhost.include

   ErrorLog "|/usr/sbin/cronolog --symlink=/var/log/apache2/ssl_error_log.current /var/log/apache2/%Y/%m/ssl_error_log"

   <IfModule log_config_module>

      TransferLog "|/usr/sbin/cronolog --symlink=/var/log/apache2/ssl_access_log.current /var/log/apache2/%Y/%m/ssl_access_log"

   </IfModule>

   SSLEngine on

   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

   SSLCertificateFile /etc/apache2/ssl/server.crt

   SSLCertificateKeyFile /etc/apache2/ssl/server.key

   

   <FilesMatch "\.(cgi|shtml|phtml|php)$">

      SSLOptions +StdEnvVars

   </FilesMatch>

   <Directory "/var/www/localhost/cgi-bin">

      SSLOptions +StdEnvVars

   </Directory>

   <IfModule setenvif_module>

      BrowserMatch ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

   </IfModule>

   <IfModule log_config_module>

      CustomLog /var/log/apache2/ssl_request_log \

         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

   </IfModule>

</VirtualHost>

</IfModule>

</IfDefine>

</IfDefine>

```

Any help in resolving this will be greatly appreciated. Thanks!Last edited by Buddha001 on Fri Aug 22, 2008 12:44 am; edited 1 time in total

----------

## gerdesj

Well Mr Budda001 let's start from the basics (I can't see anything obviously wrong):

What version of Apache are you running?

Incidentally the error you report seems to imply cgi-bin is a file and not a directory - any help?

Cheers

Jon

----------

## Buddha001

 *gerdesj wrote:*   

> Well Mr Budda001 let's start from the basics (I can't see anything obviously wrong):
> 
> What version of Apache are you running?
> 
> Incidentally the error you report seems to imply cgi-bin is a file and not a directory - any help?
> ...

 

Running apache 2.2.9. cgi-bin is definitely not a file - although it would seem that the SSL host thinks it is. Just verified that it's a directory (/var/www/localhost/cgi-bin) with the same user/group and permissions as /var/www/localhost/htdocs. Plus, the non-SSL vhost is able to pick up scripts without any issues. The error I get in the browser is 404 Not Found. 

I'm wondering if this may have something to do with me not updating my expired self-signed certificates...is that a possibility? Although other non-CGI things work fine with SSL...

----------

## gerdesj

 *Buddha001 wrote:*   

> 
> 
> I'm wondering if this may have something to do with me not updating my expired self-signed certificates...is that a possibility? Although other non-CGI things work fine with SSL...

 

Not sure to be honest but it would not harm to recreate them ( http://sial.org/howto/openssl/self-signed/ ).  On the other hand why not set up a CA?

Cheers

Jon

----------

## bunder

what APACHE2_OPTS do you have configured in /etc/conf.d/apache2?  

cheers

----------

## Buddha001

 *gerdesj wrote:*   

>  *Buddha001 wrote:*   
> 
> I'm wondering if this may have something to do with me not updating my expired self-signed certificates...is that a possibility? Although other non-CGI things work fine with SSL... 
> 
> Not sure to be honest but it would not harm to recreate them ( http://sial.org/howto/openssl/self-signed/ ).  On the other hand why not set up a CA?
> ...

 

I recreated them and then setup a CA using cacert.org but neither helped. As for the APACHE2_OPTS they are:

```

APACHE2_OPTS="-D DEFAULT_VHOST -D PERL -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D AUDIO_VHOST -D GALLERY_VHOST -D STORAGESERVER_VHOST -D CITYPACE_VHOST -D SUEXEC -D APREQ -D USERDIR -D PHP5 -D DAV -D DAV_FS -D AUTH_PAM -D MACRO -D PROXY -D PROXY_HTTP -D PROXY_HTML"

```

Anything look out of the ordinary?

----------

## gerdesj

I've just picked through your first post again.

/var/www/localhost/htdocs/cgi-bin probably does not exist!

In /var/www/localhost/ htdocs and cgi-bin should be at the same level.  Looking in your config, that is what it is looking for.

```

<IfModule alias_module>

   ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/"

   Alias /audio /mnt/SoundFiles

</IfModule>

<Directory "/var/www/localhost/cgi-bin">

   AllowOverride AuthConfig

#   Options None

   Order allow,deny

   Allow from all

</Directory> 

```

So I would say you are using the wrong URL in your browser when you use https.

Cheers

Jon

----------

## Buddha001

 *gerdesj wrote:*   

> I've just picked through your first post again.
> 
> /var/www/localhost/htdocs/cgi-bin probably does not exist!
> 
> In /var/www/localhost/ htdocs and cgi-bin should be at the same level.  Looking in your config, that is what it is looking for.
> ...

 

I'm not sure what you mean...I use the same URL when using both http and https. For example, the script I'm trying to access is: http://www.etumbo.com/cgi-bin/citypace/contacts.cgi. When I type that in exactly it works. When I do https://www.etumbo.com/cgi-bin/citypace/contacts.cgi it does not work and I get a 404 Not Found Error. Feel free to try it yourself. Both htdocs and cgi-bin are at the same level within /var/www/localhost - that's how gentoo apache config set it up originally and I've never mucked with that.

----------

## gerdesj

Fair enough but something is causing an attempt to access the file to cause the error:

```

[Sun Aug 17 17:56:22 2008] [error] [client 192.168.1.1] File does not exist: /var/www/localhost/htdocs/cgi-bin

```

Perhaps a stray symlink? #ls -l /var/www/localhost (also check cgi-bin and htdocs themselves)

Another thing to try is to disable the ordinary VHOST (ie remove -D DEFAULT_VHOST) and see if just the SSL one works OK on its own.

Cheers

Jon

----------

## Buddha001

 *gerdesj wrote:*   

> Fair enough but something is causing an attempt to access the file to cause the error:
> 
> ```
> 
> [Sun Aug 17 17:56:22 2008] [error] [client 192.168.1.1] File does not exist: /var/www/localhost/htdocs/cgi-bin
> ...

 

No stray symlinks, and SSL works just fine when accessing things directly within /var/www/localhost/htdocs. I have horde-imp installed in that directory and it is accessible via SSL w/o any problems. It just seems like the SSL VHOST is not understanding the ScriptAlias directive and so it's directly translating the cgi-bin directory to be within htdocs, which it is not.

I also tried aliasing other directories outside of /var/www/localhost/htdocs and those also do not work in the SSL VHOST, but do work with default non-SSL VHOST, so it definitely seems to be an issue with SSL and Alias/ScriptAlias directories.

----------

## gerdesj

I am running several 2.2.9 Apaches with SSL and various scriptalias with no problems.

Now I always USE=vhost but I think you are not.  Your 00_default_ssl is very different to mine, so I suspect that it is quite an old one.  However, if you run etc-update you will have quite a lot of unpicking to do.

Could I recommend switching to USE=vhost.  It will require a bit of work but at least you can then update with fewer problems.  You can also do things like test web-apps out in another vhost before deploying to your live one.

Since I made the switch, it has made life a lot easier. 

Cheers

Jon

----------

## Buddha001

 *gerdesj wrote:*   

> I am running several 2.2.9 Apaches with SSL and various scriptalias with no problems.
> 
> Now I always USE=vhost but I think you are not.  Your 00_default_ssl is very different to mine, so I suspect that it is quite an old one.  However, if you run etc-update you will have quite a lot of unpicking to do.
> 
> Could I recommend switching to USE=vhost.  It will require a bit of work but at least you can then update with fewer problems.  You can also do things like test web-apps out in another vhost before deploying to your live one.
> ...

 

Yeah, I'm kind of in the middle of going through this process, but I needed to figure out how to get SSL working for multiple vhosts on the same IP. It seems like I can with SNI, which I've only recently enabled. Once I get that working I'll completely switch over to USE=vhost. Right now I have it enabled only for certain web-apps. Could you post how your 00_default_ssl is different than mine? I've run etc-update everytime I do an apache upgrade, so I shouldn't really be behind on configuration file updates.

Thanks!

----------

## gerdesj

I even double checked!  I've just dismembered the ebuild palava that is Apache and eventually found this file:

```

/usr/portage/distfiles/gentoo-apache-2.2.9-20080615.tar.bz2

```

which contains the Gentoo specific bits to Apache.  In there is the current 00_default_ssl_vhost.conf.  It is quite different to the one you posted above.

Cheers

Jon

----------

## Buddha001

 *gerdesj wrote:*   

> I even double checked!  I've just dismembered the ebuild palava that is Apache and eventually found this file:
> 
> ```
> 
> /usr/portage/distfiles/gentoo-apache-2.2.9-20080615.tar.bz2
> ...

 

Here's a diff of the one in the distfile and mine. Doesn't seem all that different to me...

```

9c9

< Listen 443

---

> Listen *:443

11,12c11,14

< <VirtualHost _default_:443>

<       ServerName localhost

---

> NameVirtualHost *:443

> <VirtualHost *:443>

>       ServerName www.etumbo.com

>

14c16

<       ErrorLog /var/log/apache2/ssl_error_log

---

>       ErrorLog "|/usr/sbin/cronolog --symlink=/var/log/apache2/ssl_error_log.current /var/log/apache2/%Y/%m/ssl_error_log"

17c19

<               TransferLog /var/log/apache2/ssl_access_log

---

>               TransferLog "|/usr/sbin/cronolog --symlink=/var/log/apache2/ssl_access_log.current /var/log/apache2/%Y/%m/ssl_access_log"

35c37,38

<       SSLCertificateFile /etc/apache2/ssl/server.crt

---

>       SSLCertificateFile /etc/apache2/ssl/etumbo.com_cert.pem

>       #SSLCertificateFile /etc/apache2/ssl/server.crt

43c46,47

<       SSLCertificateKeyFile /etc/apache2/ssl/server.key

---

>       SSLCertificateKeyFile /etc/apache2/ssl/etumbo.com_privatekey.pem

>       #SSLCertificateKeyFile /etc/apache2/ssl/server.key

175a180

>

```

----------

## gerdesj

Worth a try though.

Still, where on earth is that error coming from with the extra /htdocs/ in the request?

I'm now really clutching at straws: what sort of script are you trying to run?  Could you try print-env (default supplied script - need to chmod it +x though)

Cheers

Jon

----------

## Buddha001

 *gerdesj wrote:*   

> Worth a try though.
> 
> Still, where on earth is that error coming from with the extra /htdocs/ in the request?
> 
> I'm now really clutching at straws: what sort of script are you trying to run?  Could you try print-env (default supplied script - need to chmod it +x though)
> ...

 

Yup, did try that - same thing.  :Sad:  I'm a bit puzzled as well. I've tried every google search possible trying to find anyone else that's had a such an issue and can't find anything.

----------

## gerdesj

Could you just double check your ssl_sccess or error logs for the result of trying to access https://<your site>/cgi-bin/printenv please?

Cheers

Jon

----------

## Buddha001

 *gerdesj wrote:*   

> Could you just double check your ssl_sccess or error logs for the result of trying to access https://<your site>/cgi-bin/printenv please?
> 
> Cheers
> 
> Jon

 

From ssl_access_log:

```
92.168.1.1 - - [20/Aug/2008:20:06:40 -0400] "GET /cgi-bin/print-env HTTP/1.1" 404 280
```

and from ssl_error_log:

```
[Wed Aug 20 20:06:40 2008] [error] [client 192.168.1.1] File does not exist: /var/www/localhost/htdocs/cgi-bin
```

Stumped...

----------

## Buddha001

 *Buddha001 wrote:*   

>  *gerdesj wrote:*   Could you just double check your ssl_sccess or error logs for the result of trying to access https://<your site>/cgi-bin/printenv please?
> 
> Cheers
> 
> Jon 
> ...

 

Well, I do believe I finally got it working. It looks like I had an old default_ssl_vhost.conf file stuck in my /etc/apache2/modules.d/ directory that was mucking stuff up. After moving that out of the way, it seems to have done the trick. And I've managed to move everything to a USE=vhosts setup, so it should be far easier to maintain now - hopefully.  :Smile: 

Thanks for all the help and suggestions.

----------

## gerdesj

 *Quote:*   

> 
> 
> Well, I do believe I finally got it working. It looks like I had an old default_ssl_vhost.conf file stuck in my /etc/apache2/modules.d/ directory that was mucking stuff up. After moving that out of the way, it seems to have done the trick. And I've managed to move everything to a USE=vhosts setup, so it should be far easier to maintain now - hopefully. 
> 
> Thanks for all the help and suggestions.

 

Hooray!  USE=vhost is a lot easier to maintain and great for QC.  You can test a package in a test vhost and then only when you have got the upgrade procedure sorted out do you mess with the live one.  Also you are not messing about with the real one so the point where you find you can't exactly remember what you did and wish you'd taken a backup - well I'm sure you know this one.

Glad its sorted.

Cheers

Jon

----------

