Rails apps in subdirectories won't work with SSL

Eduardo Kortright

unread,

Mar 12, 2015, 5:18:33 PM3/12/15

to phusion-...@googlegroups.com

I have been running two Rails apps on Apache/Passenger and CentOS 6 in different subdirectories and using SSL for some time.

However, I just migrated to a new server running CentOS 7, and on the new server the apps work only if I don't use SSL. If I use SSL, then all I get is "404 Not Found".

Server version: Apache/2.4.6 (CentOS)

Phusion Passenger version 4.0.59

When I configure the apps for non-SSL, I can tell that the very first request is going to Passenger, because it takes it a little time to load everything. On the other hand, when I change to SSL, the response (Not Found) is immediate, so maybe it's not even getting to Passenger. I can't see anything in the error logs (/var/log/httpd/*_error_log), other than Not Found, which doesn't tell me anything.

Can anyone tell me if there is any way to debug what is going on? Is there some other error log specific to Passenger that may provide some information? I have not been able to find anything on the web that mentions both multiple apps in separate directories and SSL.

Here is the non-SSL configuration and the responses to the URLs:

# /etc/httpd/conf/httpd.conf

<VirtualHost *:80>
ServerName foo.example.com
ErrorLog logs/https_error_log

Alias /app-1 /var/www/phusion/app-1/public
<Location "/app-1">
PassengerBaseURI /app-1
PassengerAppRoot /var/www/phusion/app-1
</Location>
<Directory "/var/www/phusion/app-1/public">
Options -MultiViews
Allow from all
AllowOverride all
Require all granted
</Directory>

Alias /app-2 /var/www/phusion/app-2/public
<Location "/app-2">
PassengerBaseURI /app-2
PassengerAppRoot /var/www/phusion/app-2
</Location>
<Directory "/var/www/phusion/app-2/public">
Options -MultiViews
Allow from all
AllowOverride all
Require all granted
</Directory>
</VirtualHost>

# requests
http://foo.example.com/app-1 -> 200 OK
http://foo.example.com/app-2 -> 200 OK

Here is the pretty much identical SSL configuration and the responses to the URLs:

# /etc/httpd/conf/httpd.conf

<VirtualHost *:443>
ServerName foo.example.com
ErrorLog logs/https_error_log

Alias /app-1 /var/www/phusion/app-1/public
<Location "/app-1">
PassengerBaseURI /app-1
PassengerAppRoot /var/www/phusion/app-1
</Location>
<Directory "/var/www/phusion/app-1/public">
Options -MultiViews
Allow from all
AllowOverride all
Require all granted
</Directory>

Alias /app-2 /var/www/phusion/app-2/public
<Location "/app-2">
PassengerBaseURI /app-2
PassengerAppRoot /var/www/phusion/app-2
</Location>
<Directory "/var/www/phusion/app-2/public">
Options -MultiViews
Allow from all
AllowOverride all
Require all granted
</Directory>
</VirtualHost>

# requests
https://foo.example.com/app-1 -> 404 Not Found
https://foo.example.com/app-2 -> 404 Not Found

As you can see, the only thing that changes is the port number.

For SSL, the certificate files configuration is in /etc/httpd/conf.d/ssl.conf. I have also tried putting the following inside the VirtualHost definition (matches the ssl.conf information exactly), but nothing helps:

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/CA/certs/xxx.crt
SSLCertificateChainFile /etc/pki/CA/certs/yyy.crt
SSLCertificateKeyFile /etc/pki/CA/certs/foo.example.com.key
SSLVerifyClient none

The SSL configuration is OK, because if I remove the Rails stuff and just test accessing a static index.html page then everything works fine.

I have turned SELinux off, by the way.

Any help you could provide would be very much appreciated.

Eduardo Kortright

unread,

Mar 16, 2015, 9:49:39 AM3/16/15

to phusion-...@googlegroups.com

In case this might help someone, I think Apache was not mapping the incoming requests to the correct VirtualHost. It's still a mystery to me why it would map them fine with no SSL, but fail to map them with SSL.

I finally resolved the issue by replacing the * in the VirtualHost element with the IP address of the interface from which the requests will be coming. I don't understand why this should fix the problem, since * is supposed to mean all interfaces. Also, the server is behind a firewall, although I don't know why this would matter. The biggest difficulty is that there does not seem to be any way to diagnose the problem; all you can do is hack away at the http.conf file until it does something different.

As the Passenger FAQ states, it is also important to have the SSL directives inside the VirtualHost even if they are also defined somewhere else.

In the end, the config ended up looking as shown below.

<VirtualHost 192.168.1.57:443>
ServerName foo.example.com
ErrorLog logs/https_error_log

SSLEngine on

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/CA/certs/xxx.crt
SSLCertificateChainFile /etc/pki/CA/certs/yyy.crt
SSLCertificateKeyFile /etc/pki/CA/certs/foo.example.com.key
SSLVerifyClient none

Daniel Knoppel

unread,

Mar 18, 2015, 10:38:51 AM3/18/15

to phusion-...@googlegroups.com

Hi Eduardo,

You might want to check that you don't have more than one <VirtualHost ..:443> configuration active in Apache (e.g. in sites-enabled).

Apache won't complain if you have multiple <VirtualHost *:443> entries, and if you happen to have one where Passenger is not configured then you can get the behavior you're seeing.

Especially because your problem is solved by specifying an explicit ip, which makes Apache prefer that configuration above *-based ones, thus picking the one you intended it to use.

- Daniel

Eduardo Kortright

unread,

Mar 19, 2015, 8:28:13 AM3/19/15

to phusion-...@googlegroups.com

Hi Daniel,

Yes, that's what it was. In the /etc/httpd/conf.d/ssl.conf file that was added when enabling SSL, there is a

<VirtualHost _default_:443>, which is what Apache was selecting instead of the <VirtualHost *:443> in httpd.conf.

Thank you very much for your help. It's much better to understand the reason for the behavior!

Reply all

Reply to author

Forward