Как связке апач-nginx настроить переход на https?

Question

[Hfnas]

Я деактивировала ssl на апач (активировала до установки сертификата)

a2dismod ssl
a2dissite default-ssl

Настройки апача

<VirtualHost *:80>
    ServerName crm.ru
    ServerAlias www.crm.ru
    ServerAdmin we@gmail.com
    DocumentRoot /var/www/crm/public_html
    DirectoryIndex /index.php

    <Directory /var/www/crm/public_html>
       AllowOverride None
      # Require all granted

        Order Allow,Deny
        Allow from all

        FallbackResource /index.php

    </Directory>

     <Directory /var/www/project/public/bundles>
        DirectoryIndex disabled
        FallbackResource disabled
    </Directory>

    ErrorLog /var/www/crm/error.log
    CustomLog /var/www/crm/access.log combined
</VirtualHost>

Так как все сертификаты установлены на nginx, то переадресацию делаем там.

server {
     listen  80;
     server_name crm.ru www.crm.ru;
     return 301 http://www.$host$request_uri;
}


server {
listen 443
listen [::]:443 ssl;
root /var/www/crm/public_html;
server_name crm.ru;
ssl_protocols TLSv1.2;

ssl_certificate /etc/nginx/ssl/crm.ru.crt;
ssl_certificate_key /etc/nginx/ssl/crm.ru.key;

location / {
proxy_pass http://localhost:80;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Выводит "Welcome to nginx!"
-------------------
Также пробовала

server {

listen 80;

listen 443 default ssl;

listen [::]:443 ipv6only=on;


root /var/www/crm/public_html;
server_name crm.ru;


#if ($scheme = 'http') {
#  return 301 https://$host$request_uri;
#}

#2203 comment this block
#ssl on;
#2203 
ssl_protocols TLSv1.2;

ssl_certificate /etc/nginx/ssl/crm.ru.crt;
ssl_certificate_key /etc/nginx/ssl/crm.ru.key;

location / {
proxy_pass http://localhost:80;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Главная с https? внутренние c http, либо 404 ошибка

Answer 1

[ky0]

У вас зачем-то 80 порт и апач, и нгинкс слушают - проблема в этом. Перевесьте апач куда-нибудь, имхо.

Answer 2

[AUser0]

У Apache укажите <VirtualHost 127.0.0.1:88>, после чего у Nginx proxy_pass http://127.0.0.1:88;

Comments

[Hfnas]

AUser0, Апач прослушивает порт 8080 согласно команде netstat -tulpn

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name             
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      32262/nginx: master 
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      32019/apache2       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      32262/nginx: master 
tcp6       0      0 :::80                   :::*                    LISTEN      32262/nginx: master 
tcp6       0      0 :::443                  :::*                    LISTEN      32262/nginx: master

поэтому настройки апача такие:

<VirtualHost 127.0.0.1:8080>
    ServerName crm.ru
    ServerAlias www.crm.ru
    ServerAdmin we@gmail.com
    DocumentRoot /var/www/crm/public_html
    DirectoryIndex /index.php

    <Directory /var/www/crm/public_html>
       AllowOverride None
      # Require all granted

        Order Allow,Deny
        Allow from all

        FallbackResource /index.php

    </Directory>

     <Directory /var/www/project/public/bundles>
        DirectoryIndex disabled
        FallbackResource disabled
    </Directory>

    ErrorLog /var/www/crm/error.log
    CustomLog /var/www/crm/access.log combined
</VirtualHost>

Далее, пробую nginx^

server {
     listen  80;
     server_name crm.ru www.crm.ru;
     return 301 http://www.$host$request_uri;
}


server {
listen 443;
listen [::]:443 ssl;
root /var/www/crm/public_html;
server_name crm.ru www.crm.ru;
ssl_protocols TLSv1.2;
ssl on;
ssl_certificate /etc/nginx/ssl/crm.ru.crt;
ssl_certificate_key /etc/nginx/ssl/crm.ru.key;

location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

выводит список файлов проекта, почему?

[AUser0]

Hfnas, возможно потому, что должно быть DirectoryIndex index.php. Ну или PHP не прописан.

[AUser0]

Hfnas, и ещё, вот это return 301 http://www.$host$request_uri; заставит браузер по кругу бесконечно обращаться к адресу http://www.crm.ru/

[Hfnas]

AUser0, ky0, В итоге настроено, как в доках симфони, да DocumentRoot у меня не прописан.... По https есть, сертификат отображается по decoder.link

<VirtualHost 127.0.0.1:8080>
    ServerName crm.ru
    ServerAlias www.crm.ru
    ServerAdmin we@gmail.com
    DocumentRoot /var/www/crm/public_html/public
    DirectoryIndex index.php

    <Directory /var/www/crm/public_html/public>
        AllowOverride None
        Order Allow,Deny
        Allow from All

        FallbackResource /index.php

    </Directory>

     <Directory /var/www/crm/public_html/public/bundles>
        DirectoryIndex disabled
        FallbackResource disabled
    </Directory>

    ErrorLog /var/www/crm/error.log
    CustomLog /var/www/crm/access.log combined
</VirtualHost>

server {
     listen  80;
     server_name crm.ru www.crm.ru;
     return 301 https://$host$request_uri;
}

server {
listen 443;
listen [::]:443 ssl;
root /var/www/crm/public_html/public;
server_name crm.ru www.crm.ru;
ssl_protocols TLSv1.2;
ssl on;
ssl_certificate /etc/nginx/ssl/crm.ru.crt;
ssl_certificate_key /etc/nginx/ssl/crm.ru.key;

location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

ошибка в консоли браузера:

Mixed Content: The page at 'https://crm.ru/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://crm.ru/admin/login'. This request has been blocked; the content must be served over HTTPS.

И в результате , не добавляется в корзину по vue. Так как идет запрос в админку по апи платформ.
Даже никакой редирект не срабатывает , если я в браузере напишу http:/crm.ru не перенаправления на https:/crm.ru , а админка вообще открывается только 'crm.ru/admin/login( то есть , если я наберу https://crm.ru/admin/login перенаправляется на crm.ru/admin/login)

Костыль

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />

не помог.

https://symfony.com/doc/current/routing.html#routi... тоже не помог...

[AUser0]

А что, server с return 301 вы засунули в конфиг Apache? И DirectoryIndex не изменили!

[Hfnas]

AUser0, обновила конфиг, все равно редиректа не происходит-( Благодарю за помощь!
1)если я в браузере напишу http:/crm.ru, нет перенаправления на https:/crm.ru ....
2)да, если нажму форму авторизации в админке, или админ перенаправ
админка вообще открывается только 'crm.ru/admin/login( то есть , если я наберу https://crm.ru/admin/login перенаправляется на crm.ru/admin/login)

[Hfnas]

# Use the front controller as index file. It serves as a fallback solution when
# every other rewrite/redirect fails (e.g. in an aliased environment without
# mod_rewrite). Additionally, this reduces the matching process for the
# start page (path "/") because otherwise Apache will apply the rewriting rules
# to each configured DirectoryIndex file (e.g. index.php, index.html, index.pl).
DirectoryIndex index.php

# By default, Apache does not evaluate symbolic links if you did not enable this
# feature in your server configuration. Uncomment the following line if you
# install assets as symlinks or if you experience problems related to symlinks
# when compiling LESS/Sass/CoffeScript assets.
# Options +FollowSymlinks

# Disabling MultiViews prevents unwanted negotiation, e.g. "/index" should not resolve
# to the front controller "/index.php" but be rewritten to "/index.php/index".
<IfModule mod_negotiation.c>
    Options -MultiViews
</IfModule>

<IfModule mod_rewrite.c>
    Options +FollowSymLinks
    RewriteEngine On

    # Determine the RewriteBase automatically and set it as environment variable.
    # If you are using Apache aliases to do mass virtual hosting or installed the
    # project in a subdirectory, the base path will be prepended to allow proper
    # resolution of the index.php file and to redirect to the correct URI. It will
    # work in environments without path prefix as well, providing a safe, one-size
    # fits all solution. But as you do not need it in this case, you can comment
    # the following 2 lines to eliminate the overhead.
    RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$
    RewriteRule .* - [E=BASE:%1]

    # Sets the HTTP_AUTHORIZATION header removed by Apache
    RewriteCond %{HTTP:Authorization} .+
    RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]

    # Redirect to URI without front controller to prevent duplicate content
    # (with and without `/index.php`). Only do this redirect on the initial
    # rewrite by Apache and not on subsequent cycles. Otherwise we would get an
    # endless redirect loop (request -> rewrite to front controller ->
    # redirect -> request -> ...).
    # So in case you get a "too many redirects" error or you always get redirected
    # to the start page because your Apache does not expose the REDIRECT_STATUS
    # environment variable, you have 2 choices:
    # - disable this feature by commenting the following 2 lines or
    # - use Apache >= 2.3.9 and replace all L flags by END flags and remove the
    #   following RewriteCond (best solution)
    RewriteCond %{ENV:REDIRECT_STATUS} =""
    RewriteRule ^index\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]

    # If the requested filename exists, simply serve it.
    # We only want to let Apache serve files and not directories.
    # Rewrite all other queries to the front controller.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ %{ENV:BASE}/index.php [L]

    Redirect 301 /catalog/utu https://crm.ru/utu


#    RewriteEngine On
#    RewriteCond %{HTTPS} off
#    RewriteCond %{HTTP:X-Forwarded-Proto} !https
#    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

<IfModule !mod_rewrite.c>
    <IfModule mod_alias.c>
        # When mod_rewrite is not available, we instruct a temporary redirect of
        # the start page to the front controller explicitly so that the website
        # and the generated links can still be used.
        RedirectMatch 307 ^/$ /index.php/
        # RedirectTemp cannot be used instead
    </IfModule>
</IfModule>

.htaccess /var/www/crm/public_html/public

[AUser0]

Нет, RewriteRule вы прописали неправильно. Объяснять почему неправильно - не буду, потому что вы городите огород по своему усмотрению, не обращая внимания на советы и комментарии, получается всё в пустую и криво. Такими темпами вы скоро за перекомпиляцию Apache возьмётесь, очевидно.

P.S. Упс, зря я эту идею подкинул...

[Hfnas]

AUser0, принощшу извинения, .htaccess дежал в директории еще до моего запроса сюда. . Я выложила конфиг, потому что подумала, может, причина в этом. Поэтому и выложила, что есть.

Я так поняла .htaccess нкужно убрать. Так как все на nginx завязано , а апач как прокси играет роль.
Подскажите, хороший материал, который помог в изучении вам этого вопроса, если вам нетрудно. Да, пока я не разбираюсь, не отрицаю.

[AUser0]

Hfnas, для начала отключите редирект в Apache, закомментировав в .htaccess строчку RewriteEngine On (поставив в начале строки символ #). И смотрите что получилось.

[Hfnas]

AUser0, спасибо, что не оставили меня.
я даже отключила весь .htaccess ничего не помогает,
выполнила команду nginx -t
Были предупреждения:

nginx: [warn] conflicting server name "сrm.ru" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.crm.ru" on 0.0.0.0:80, ignored

они исчезли.

по пути /etc/nginx/sites-available были лишние конфиги crm.conf.save, crm.conf.save1 (хостинг устанавливал платный сертификат, видимо не доделал, а доделывать не хочет). Я их поудалаляла.

Теперь в папке /etc/nginx/sites-available 3 файла :
1)crm

server {
    server_name crm.ru www.crm.ru;
    root /var/www/crm/public_html/public;

    location / {
        # try to serve file directly, fallback to index.php
        try_files $uri /index.php$is_args$args;
    }

    # optionally disable falling back to PHP script for the asset directories;
    # nginx will return a 404 error when files are not found instead of passing the
    # request to Symfony (improves performance but Symfony's 404 page is not displayed)
    # location /bundles {
    #     try_files $uri =404;
    # }

  
    location ~ ^\/build\/ {
        expires 365d;
        add_header Cache-Control "public";
    }
   

    location ~ ^/index\.php(/|$) {
        fastcgi_pass unix:/var/run/php/php8.0-fpm.sock;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;

        # optionally set the value of the environment variables used in the application
        # fastcgi_param APP_ENV prod;
        # fastcgi_param APP_SECRET <app-secret-id>;
        # fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name";

        # When you are using symlinks to link the document root to the
        # current version of your application, you should pass the real
        # application path instead of the path to the symlink to PHP
        # FPM.
        # Otherwise, PHP's OPcache may not properly detect changes to
        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
        # for more information).
        # Caveat: When PHP-FPM is hosted on a different machine from nginx
        #         $realpath_root may not resolve as you expect! In this case try using
        #         $document_root instead.
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        # Prevents URIs that include the front controller. This will 404:
        # http://domain.tld/index.php/some-path
        # Remove the internal directive to allow URIs like this
        internal;
    }

    # return 404 for all other php files not matching the front controller
    # this prevents access to other php files you don't want to be accessible.
    location ~ \.php$ {
        return 404;
    }

    error_log /var/log/nginx/crm_error.log;
    access_log /var/log/nginx/crm_access.log;
}

nano /var/log/nginx/crm_error.log -пустой
2)crm.conf

server {
     listen  80;
     return 301 https://$host$request_uri;
}


server {
 listen 443 ssl;
 listen [::]:443 ssl;
 root /var/www/crm/public_html/public;
 server_name crm.ru www.crm.ru;
ssl_protocols TLSv1.2;
#ssl on;
ssl_certificate /etc/nginx/ssl/crm.ru.crt;
ssl_certificate_key /etc/nginx/ssl/crm.ru.key;

location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location ~ /\.ht {
  deny all;
 }
}

как подправила, предупреждения исчезли, но мне не помогло, перенаправления нет

админка вообще открывается только 'crm.ru/admin/login( то есть , если я наберу https://crm.ru/admin/login перенаправляется на crm.ru/admin/login)

и ошибка в консоли

Mixed Content: The page at 'https://сrm.ru/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'crm.ru/admin/login'. This request has been blocked; the content must be served over HTTPS.

3)default (вообще никакой роли не играет, как мне кажется)

#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

грешила на кеш сервера, перезагрузила, не помогло.

[Hfnas]

/etc/apache2/ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

#Listen 80

<IfModule ssl_module>
#       Listen 443
</IfModule>

<IfModule mod_gnutls.c>
#       Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

/etc/apache2/ports.conf.orig

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

apache2.conf

DefaultRuntimeDir ${APACHE_RUN_DIR}

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf


# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

#<Directory /srv/>
#       Options Indexes FollowSymLinks
#       AllowOverride None
#       Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>


#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Include conf.d/
Listen 127.0.0.1:8080
IncludeOptional vhosts-default/*.conf
IncludeOptional vhosts/*/*.conf

/etc/apache2/000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

crm.conf

<VirtualHost 127.0.0.1:8080>
    ServerName crm.ru
    ServerAlias www.crm.ru

    DocumentRoot /var/www/crm/public_html/public
    DirectoryIndex index.php 

    <Directory /var/www/crm/public_html/public>
        AllowOverride None
        Order Allow,Deny
        Allow from All

        FallbackResource /index.php

    </Directory>

     <Directory /var/www/crm/public_html/public/bundles>
        DirectoryIndex disabled
        FallbackResource disabled
    </Directory>

    ErrorLog /var/www/crm/error.log
    CustomLog /var/www/crm/access.log combined
</VirtualHost>

[Hfnas]

default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                #DocumentRoot /var/www/html
                DocumentRoot /var/www/crm/public_html/public

            

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                # For most configuration files from conf-available/, which are
                # enabled or disabled at a global level, it is possible to
                # include a line for only one particular virtual host. For example the
                # following line enables the CGI configuration for this host only
                # after it has been globally disabled with "a2disconf".
                #Include conf-available/serve-cgi-bin.conf

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine off

                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                #   Server Certificate Chain:
                #   Point SSLCertificateChainFile at a file containing the
                #   concatenation of PEM encoded CA certificates which form the
                #   certificate chain for the server certificate. Alternatively
                #   the referenced file can be the same as SSLCertificateFile
                #   when the CA certificates are directly appended to the server
                #   certificate for convinience.
                #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

                #   Certificate Authority (CA):
                #   Set the CA certificate verification path where to find CA
                #   certificates for client authentication or alternatively one
                #   huge file containing all of them (file must be PEM encoded)
                #   Note: Inside SSLCACertificatePath you need hash symlinks
                #                to point to the certificate files. Use the provided
                #                Makefile to update the hash symlinks after changes.
                #SSLCACertificatePath /etc/ssl/certs/
                #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

                #   Certificate Revocation Lists (CRL):
                #   Set the CA revocation path where to find CA CRLs for client
                #   authentication or alternatively one huge file containing all
                #   of them (file must be PEM encoded)
                #   Note: Inside SSLCARevocationPath you need hash symlinks
                #                to point to the certificate files. Use the provided
                #                Makefile to update the hash symlinks after changes.
                #SSLCARevocationPath /etc/apache2/ssl.crl/
                #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

                #   Client Authentication (Type):
                #   Client certificate verification type and depth.  Types are
                #   none, optional, require and optional_no_ca.  Depth is a
                #   number which specifies how deeply to verify the certificate
                #   issuer chain before deciding the certificate is not valid.
                #SSLVerifyClient require
                #SSLVerifyDepth  10

                #   SSL Engine Options:
                #   Set various options for the SSL engine.
                #   o FakeBasicAuth:
                #        Translate the client X.509 into a Basic Authorisation.  This means that
                #        the standard Auth/DBMAuth methods can be used for access control.  The
                #        user name is the `one line' version of the client's X.509 certificate.
                #        Note that no password is obtained from the user. Every entry in the user
                #        file needs this password: `xxj31ZMTZzkVA'.
                #   o ExportCertData:
                #        This exports two additional environment variables: SSL_CLIENT_CERT and
  #        Per default this exportation is switched off for performance reasons,
                #        because the extraction step is an expensive operation and is usually
                #        useless for serving static content. So one usually enables the
                #        exportation for CGI and SSI requests only.
                #   o OptRenegotiate:
                #        This enables optimized SSL connection renegotiation handling when SSL
                #        directives are used in per-directory context.
                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

             
        </VirtualHost>
</IfModule>

Есть подозрение, что из-за hostname не открывается, так как hostname другой указан домен(тестовый домен), а сам домен на шаред хостинге. и сайт отрывается по тестовому домену по протоколу http, [хотя я убрала любое упоминание по тестовому домену в конфигах nginx, apache , кроме hostname. Вопрос можно hostname crm.ru выполнить?

[AUser0]

Из apache2.conf стереть строку Listen 127.0.0.1:8080

В файле apache2/000-default.conf действительно нет символа < перед VirtualHost *:80>?

А ошибка в консоли

Mixed Content: The page at 'https://сrm.ru/' was loaded over HTTPS, but requested ...

связана с тем, что в Javascript-ах сайта используется адрес http://crm.ru/admin/login вместо https://crm.ru/admin/login. Именно об этом отсуствии буквы s в https консоль и ругается, мол "незашифрованная (http) передача данных на вашем зашифрованном (https) сайте, ай-яй-яй не буду!".

[Hfnas]

AUser0, спасибо,

Из apache2.conf стереть строку Listen 127.0.0.1:8080

-ошибка апача,

apachectl[79025]: no listening sockets available, shutting down
apachectl[79025]: AH00015: Unable to open logs
apachectl[79018]: Action 'start' failed.
apachectl[79018]: The Apache error log may have more information.
apache2.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited

в общем вернула, как есть.

тп подсказала

server {
     listen 80;
     listen  [::]:80;
     server_name _;
     return 301 https://$host$request_uri;
       include /etc/nginx/vhosts-includes/*.conf;
       location @fallback {
               error_log /dev/null crit;
               proxy_pass http://127.0.0.1:8080;
               proxy_redirect http://127.0.0.1:8080 /;
               proxy_set_header Host $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
               access_log off ;
       }

}


server {
 listen 443 ssl;
 listen [::]:443 ssl;
 root /var/www/crm/public_html/public;
 server_name crm.ru www.crm.ru;
ssl_protocols TLSv1.2;
#ssl on;
ssl_certificate /etc/nginx/ssl/crm.ru.crt;
ssl_certificate_key /etc/nginx/ssl/crm.ru.key;

location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location ~ /\.ht {
  deny all;
 }
}

но по прежнему "Mixed Content: The page at 'https://сrm.ru/' was loaded over HTTPS, but requested ."
У меня вопрос, эта ошибка возникает на стороне сервера, то есть изз-а настроек симфони +апач зависит зависит?

сделала, видно, что перенаправления нет, если я правильно понимаю.

$ curl -vLI http://crm.ru/admin
*   Trying XXX.XX.XXXX.XXX:80...
* Connected to crm.ru (XXX.XX.XXXX.XXX) port 80 (#0)
> HEAD /admin HTTP/1.1
> Host: crm.ru
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 26 Dec 2022 20:00:37 GMT
Date: Mon, 26 Dec 2022 20:00:37 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 178
Content-Length: 178
< Connection: keep-alive
Connection: keep-alive
< Location: https://crm.ru/admin
Location: https://crm.ru/admin

< 
* Connection #0 to host crm.ru left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://crm.ru/admin'
*   Trying XXX.XX.XXXX.XXX:443...
* Connected to crm.ru (XXX.XX.XXXX.XXX) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=www.crm.ru
*  start date: Dec 16 13:12:51 2022 GMT
*  expire date: Jan 17 13:12:50 2024 GMT
*  subjectAltName: host "crm.ru" matched cert's "crm.ru"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G4
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD /admin HTTP/1.1
> Host: crm.ru
> User-Agent: curl/7.81.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 26 Dec 2022 20:00:37 GMT
Date: Mon, 26 Dec 2022 20:00:37 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Cache-Control: max-age=0, must-revalidate, private
Cache-Control: max-age=0, must-revalidate, private
< pragma: no-cache
pragma: no-cache
< Expires: Mon, 26 Dec 2022 20:00:37 GMT
Expires: Mon, 26 Dec 2022 20:00:37 GMT
< Link: <http://crm.ru/admin/api/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
Link: <http://crm.ru/admin/api/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
< Set-Cookie: PHPSESSID=jd40qqoig7vec8qegrst6aai0b; path=/; httponly; samesite=lax
Set-Cookie: PHPSESSID=jd40qqoig7vec8qegrst6aai0b; path=/; httponly; samesite=lax
< Location: http://crm.ru/admin/login
Location: http://crm.ru/admin/login

< 
* Connection #1 to host crm.ru left intact
* Clear auth, redirects to port from 443 to 80
* Issue another request to this URL: 'http://crm.ru/admin/login'
* Found bundle for host crm.ru: 0x55b6e1e58ff0 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host crm.ru
* Connected to crm.ru (XXX.XX.XXXX.XXX) port 80 (#0)
> HEAD /admin/login HTTP/1.1
> Host: crm.ru
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 26 Dec 2022 20:00:37 GMT
Date: Mon, 26 Dec 2022 20:00:37 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 178
Content-Length: 178
< Connection: keep-alive
Connection: keep-alive
< Location: https://crm.ru/admin/login
Location: https://crm.ru/admin/login

< 
* Connection #0 to host crm.ru left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://crm.ru/admin/login'
* Found bundle for host crm.ru: 0x55b6e1e58650 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#1) with host crm.ru
* Connected to crm.ru (XXX.XX.XXXX.XXX) port 443 (#1)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD /admin/login HTTP/1.1
> Host: crm.ru
> User-Agent: curl/7.81.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 26 Dec 2022 20:00:37 GMT
Date: Mon, 26 Dec 2022 20:00:37 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Cache-Control: max-age=0, must-revalidate, private
Cache-Control: max-age=0, must-revalidate, private
< pragma: no-cache
pragma: no-cache
< Expires: Mon, 26 Dec 2022 20:00:37 GMT
Expires: Mon, 26 Dec 2022 20:00:37 GMT
< Link: <http://crm.ru/admin/api/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
Link: <http://crm.ru/admin/api/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
< Set-Cookie: PHPSESSID=cm3kfc5t1l7v81l6agf5cg4i0b; path=/; httponly; samesite=lax
Set-Cookie: PHPSESSID=cm3kfc5t1l7v81l6agf5cg4i0b; path=/; httponly; samesite=lax

[AUser0]

Hfnas, перенаправление есть, оно произошло 4 (четыре) раза.

А у вас проблема в том, что AJAX в Javascript обращается к сайту по HTTP!