Default Site - If no SSL Certificate is setup

Hi there,

during some customer sites transfers from the old server to the new cleavr setup, I witnessed an issue with sites without SSL Certificate.

Basesetup

  • Created customer website without SSL with Cleavr. (Due to the DNS Settings not yet changed).
  • Migrated everything (DB, Setup,…)
  • Moved DNS Settings to the new server.

Now starts the issue
Due to no SSL and all Browsers automatically changing the URI to the https Version, we get a not wished for beahaviour.

  • The https Version shows an error, because Domain and the allegadly Certificate do not match. Nginx by default choses the first Website for https if none is configured.
    With multiple clients on the same server, this is a big violation of customer and data privacy.

Solutions

  • Cleavr gives a possibility to create a default placeholder Site on each Server and move it up into first position for NGINX. So th
  • Or Cleavr creates themselvs a placeholder for each server for domains and https version which are not yet setup.

I would be very interested in your opinion on this and i am available to test all solutions with you.

Greetings

That’s definitely not the behavior we want to happen. It should be hitting the catch-all record and returning a 404. We’ll look closer into and see why that isn’t being respected.

I have one server with mixed https (let’s encrypt and custom ssl) and http sites.
Works without any problems. I remember me there is a problem if you create a website with ssl and you try run the same site without ssl on a later moment.

And I forgot I have so many test locations on all my server without ssl. So it has to be something different @Houbsi

I thought so too.

But i still have the issue, when i completely create a new Website and also a new subdomain without SSL in the beginning. So a clean install if you will.

But the problem i’m getting is still there.

Otherwise, all sites are provisioned with cleavr and none where added manually. Just some rewrite rules for cms systems have been altered.

I still can’t figure out how or what is the root of this issue from my end.

Steps i tried:

  • Created a Website with SSL and removed it.
  • Created a Website without SSL and tried it.

We have so many sites on our servers and I tried to check all the configurations with the default stuff.
But most of the details of SSL and so forth is on cleavrs specific configurations.

So I hope they still can check this again and maybe tell another point of view for this issue.

Hello @Houbsi,

Can you send me a PM with a list of sites that you’ve had issues with?

@anish
As Mike is not working at our place anymore:
Any news on the problem? It still occurs for us.

Thank you!

EDIT: I had this today when accessing a Domain Alias whos A-Record still pointed to the server but the Alias was being removed from the site settings.

Hello @sebbler,

We’ve not actually been able to reproduce the issue Mike brought up.

I re-tested the same thing today: created a site without SSL, added a DNS Record, deleted the site and re-created the site with SSL Enabled.

CleanShot 2022-08-15 at 11.03.42

Do you’ve any idea on how the Alias got deleted? Are the sites with SSL issues all related to domain alis? If we can re-produce the issue, we’re always ready and happy to work for a fix/improvements.

Can you also let me know the site and server you’re getting errors via PM?

I deleted the alias from the site settings myself but forgot to remove the A-Record for it. When accessing the alias url, i was redirected to the most currently created site on the same server.

In this case there is no SSL involved i think.

So to reproduce:

  1. create site
  2. add alias
    image
  3. add A-Record for alias
  4. Site is accessible via alias url (cleavr start up screen)
  5. clear alias from site settings:
  6. access alias url again
  7. be redirected to newly created site

I can safely reproduce this behaviour.

Another way to reproduce:

  1. add site (x.de)
  2. add domain alias for this site (y.de)
  3. point domain alias dns a record to server
  4. not have ssl certificates installed for domain alias
  5. access site via domain alias
  6. get redirected to currently created site on this server

Here you can see an example of where the a record for api.ams.tax has been changed to the cleavr server but the user gets redirected to another page:

EDIT:
As I can’t leave the customer’s site of api.ams.tax in the state it is right now (not having ssl), i will have to install ssl soon.

Could you please have a look at what is probably causing the redirect and tell me when I can reinstall the ssl certificate for the redirect to disappear?

Would be very much appreciated! :pray:

one more hint:
Accessing the site via http://api.ams.tax works as expected but with https it does not.

EDIT 2:
I installed a new SSL certifacate for api.ams.tax now. So you can not test the behaviour with this domain anymore.