Avatar of Matt Moriarity
Matt Moriarity

How I fixed my Apache SSL redirect

Today, I finally fixed a longstanding issue with this website. I figured it would be a good idea to document it since I could not find this solution in any of my Googling to try to figure out what was wrong.

mattmoriarity.com is canonically served over SSL, but it’s supposed to have a redirect from plain HTTP URLs to the corresponding HTTPS URL. For a long time now, if you went to http://mattmoriarity.com, instead of getting redirected, you would get a nice big 403 Forbidden error from my Apache server.

When this error occurred, an entry would appear in Apache’s error.log:

[Sat Oct 06 16:43:20.907682 2018] [authz_core:error] [pid 5372] [client] AH01630: client denied by server configuration: /var/www/html/

I banged my head against this for a while, because in theory, my virtual host for the site was configured as expected:

<VirtualHost *:80>
ServerName mattmoriarity.com
ServerAlias www.mattmoriarity.com
Redirect permanent / https://mattmoriarity.com/

Searching the error code from the log above gave many results, but all of those results suggested one main cause: in Apache 2.4, the configuration directives for allowing and denying access to directories changed. For instance, Allow from all becomes Require all granted and so on. This was not my problem, though: all of my configuration was using the correct Apache 2.4 syntax.

My best clue was the fact that the redirect worked fine if I accessed it from www.mattmoriarity.com. It only failed when I left off the www.. This was good: it means that the virtual host was working correctly when it matched. It just wasn’t matching when should.

It turns out that the global configuration for Apache essentially forms its own virtual host. So I found the issue in a tiny file called /etc/apache2/conf-enabled/fqdn.conf, which contained only this line:

ServerName mattmoriarity.com

By declaring the ServerName globally, the global virtual host was matching requests for the host mattmoriarity.com on port 80 instead of my declared virtual host. And now the error in the log made sense: /var/www/html/ was the DocumentRoot declared globally.

By removing this line of configuration, my declared virtual host now matched, and the redirect started working.

Hopefully this helps someone else who finds themselves with the same problem!