HTTPS SNI via vagrant share

[kevinbowman-ta]

When we try to use vagrant share to expose an HTTPS endpoint using Apache inside the virtualbox, the Apache serves a "400 Bad Request" response. From looking at our Apache error log inside the Vagrant box, it's complaining that the hostnames provided via SNI (eg wonkey-donkey-123) and the HTTP host header (eg wonkey-donkey-123.vagrantshare.com) are different (note the domain suffix on the HTTP host header which is missing on the SNI name).

We're using Apache 2.2.22 on Ubuntu 12.04.5.

[sethvargo]

Hi @kevinbowman-ta

I am sorry you are having problems with Vagrant Share. Could you please share your Vagrantfile and apache config?

/cc @armon for any info on the share proxy side of things.

[kevinbowman-ta]

Sure; the vagrantfile looks like:

Vagrant.configure(2) do |config|
  config.vm.box = "ubuntu/precise64"
  config.ssh.forward_agent = true
  config.vm.synced_folder "salt/roots/", "/srv/salt/"
  config.vm.provision :salt, run: "always" do |salt|
    salt.minion_config = "salt/minion"
    salt.run_highstate = true
  end
  config.vm.provider "virtualbox" do |v|
    v.memory = 1024
  end
  config.dns.tld = "rd"
  config.vm.hostname = "machine"
  config.dns.patterns = [/^.*.rd$/]
  config.vm.network "private_network", ip: "192.168.33.10"
  config.vm.synced_folder "../", "/odyssey/"
end

And the relevant bit of the Apache config looks like:

<VirtualHost *:443>
    DocumentRoot "/odyssey/Source/System"
    ServerName my.server.name

    # Re-writes
    RewriteEngine On

    # ... snipped a whole bunch of rewrite rules ...

        SSLEngine on
        SSLCertificateFile /etc/ssl/cert.crt
        SSLCertificateKeyFile /etc/ssl/cert.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

both of which I think are fairly ordinary, and the forwarding works ok over HTTP for a similar Apache config on port 8080.

An example of the exact error message is:

[Tue Mar 17 10:34:33 2015] [error] Hostname hard-porpoise-0361 provided via SNI and hostname hard-porpoise-0361.vagrantshare.com provided via HTTP are different

Thanks for looking into this.

[sethvargo]

Hi @kevinbowman-ta

Are you able to provide a single Vagrantfile to reproduce this issue without Salt (perhaps just using the shell provisioner)? I am having difficulty reproducing this issue myself.

[mblaschke]

It should be able to reproduce this issue if you have one main default vhost with ssl and *.vagrant-share.com as SNI ssl vhost.

SNI check fails because of this issue:
[ssl:error] [pid 16295:tid 140042871084800] AH02032: Hostname hardworking-prairie-4191 provided via SNI and hostname hardworking-prairie-4191.vagrantshare.com provided via HTTP are different

[emanb29]

Temporary workaround: Use a custom domain. Downside: self-signed certs (and possibly "real" certs) cause trust warnings in most browsers and don't work from android apps. Further, the cert will probably mismatch (you'll have a cert for *.vagrantshare.com being offered to your users, which probably won't match your domain).

[dimsav]

Permanent workaround: use ngrok.

[jonaseberle]

Why is the domain part "vagrantshare.com" stripped from the SNI? I don't think the browser would do that (please correct me if I am wrong). I can only imagine that the vagrant-infrastructure has a misbehaving proxy in between.

Is there any possibility/workaround to show an https:// vagrant box quickly with "vagrant share" to a client/co-worker?

@emanb29 Setting up a custom domain still works? With the only limitation being another certificate? I'd like to ask before starting to configure.

NB: the Vagrant docs at https://atlas.hashicorp.com/help/vagrant/shares should state the current restrictions with HTTPS to save others from the hassle!

[autovalue]

From my tests a while back, this issue appears to be Apache specific. Using vagrant share on an nginx machine should work.

[ghost]

Yes, I can confirm. vagrant share with https over nginx works fine.
Thanks, @mikeyxkcd

[ammon-lockwood]

Any plans to address this or anyone have a workaround for apache?

[autovalue]

FYI @sumnercreations, on one of my newer puphpet generated apache boxes, I no longer experience the SNI issue.

[law]

@mikeyxkcd , could you share your Apache config (or provide repro steps) so the rest of us can see an example of what works? I am also currently experiencing this issue.

[autovalue]

@law this is my puphpet config.yaml last created in August:

vagrantfile:
    target: local
    vm:
        provider:
            local:
                box: puphpet/ubuntu1404-x64
                box_url: puphpet/ubuntu1404-x64
                box_version: 'false'
                chosen_virtualizer: vmware_workstation
                virtualizers:
                    virtualbox:
                        modifyvm:
                            natdnshostresolver1: false
                        showgui: 0
                    vmware:
                        numvcpus: 1
                    parallels:
                        use_linked_clone: 0
                        check_guest_tools: 0
                        update_guest_tools: 0
                machines:
                    vflm_l5unnu4axvy7:
                        id: mikeyxkcd
                        hostname: mikeyxkcd.vagrant
                        network:
                            private_network: 192.168.56.247
                            forwarded_port:
                                vflmnfp_jdtcn5v5mc78:
                                    host: '5895'
                                    guest: '22'
                        memory: '1024'
                        cpus: '1'
        provision:
            puppet:
                manifests_path: puphpet/puppet/manifests
                module_path: puphpet/puppet/modules
                options:
                    - '--verbose'
                    - '--hiera_config /vagrant/puphpet/puppet/hiera.yaml'
        synced_folder:
            vflsf_bvil61dh5k2v:
                source: ../application/
                target: /var/www/mikeyxkcd
                sync_type: nfs
                smb:
                    smb_host: ''
                    smb_username: ''
                    smb_password: ''
                    mount_options:
                        dir_mode: '0775'
                        file_mode: '0664'
                rsync:
                    args:
                        - '--verbose'
                        - '--archive'
                        - '-z'
                    exclude:
                        - .vagrant/
                        - .git/
                    auto: 'true'
                owner: www-data
                group: www-data
        usable_port_range:
            start: 10200
            stop: 10500
        post_up_message: ''
    ssh:
        host: 'false'
        port: 'false'
        private_key_path: 'false'
        username: vagrant
        guest_port: 'false'
        keep_alive: '1'
        forward_agent: 'false'
        forward_x11: 'false'
        shell: 'bash -l'
        insert_key: 'false'
    vagrant:
        host: detect
    proxy:
        http: ''
        https: ''
        ftp: ''
        no_proxy: ''
server:
    install: '1'
    packages:
        - htop
        - vim
        - php-apc
        - imagemagick
        - memcached
users_groups:
    install: '1'
    groups: {  }
    users: {  }
locale:
    install: '1'
    settings:
        default_locale: en_GB.UTF-8
        locales:
            - en_GB.UTF-8
            - en_US.UTF-8
        timezone: UTC
firewall:
    install: '1'
    rules: {  }
cron:
    install: '1'
    jobs: {  }
nginx:
    install: '0'
    settings:
        default_vhost: 1
        proxy_buffer_size: 128k
        proxy_buffers: '4 256k'
        proxy_connect_timeout: 600s
        proxy_send_timeout: 600s
        proxy_read_timeout: 600s
        names_hash_bucket_size: 128
    upstreams: {  }
    vhosts:
        nxv_v660bh3396sj:
            server_name: awesome.dev
            server_aliases:
                - www.awesome.dev
            www_root: /var/www/awesome
            listen_port: '80'
            index_files:
                - index.html
                - index.htm
                - index.php
            client_max_body_size: 1m
            ssl: '0'
            ssl_cert: ''
            ssl_key: ''
            ssl_port: '443'
            ssl_protocols: ''
            ssl_ciphers: ''
            rewrite_to_https: '1'
            spdy: '1'
            locations:
                nxvl_2czp5887r922:
                    location: /
                    try_files:
                        - $uri
                        - $uri/
                        - /index.php$is_args$args
                    fastcgi: ''
                    fastcgi_index: ''
                    fastcgi_split_path: ''
                    proxy: ''
                    proxy_redirect: ''
                nxvl_9b3fqszmyoq7:
                    location: '~ \.php$'
                    try_files:
                        - $uri
                        - $uri/
                        - /index.php$is_args$args
                    fastcgi: '127.0.0.1:9000'
                    fastcgi_index: index.php
                    fastcgi_split_path: '^(.+\.php)(/.*)$'
                    fast_cgi_params_extra:
                        - 'SCRIPT_FILENAME $request_filename'
                        - 'APP_ENV dev'
                    proxy: ''
                    proxy_redirect: ''
    proxies: {  }
apache:
    install: '1'
    settings:
        version: 2.4
        user: www-data
        group: www-data
        default_vhost: true
        manage_user: false
        manage_group: false
        sendfile: 0
    modules:
        - headers
        - proxy_fcgi
        - rewrite
    vhosts:
        av_jgr6qpjsharu:
            servername: mikeyxkcd.vagrant
            serveraliases:
                - mikeyxkcd
                - '*.vagrantshare.com'
            docroot: /var/www/mikeyxkcd/web
            port: '80'
            setenv:
                - 'APP_ENV dev'
            custom_fragment: ''
            ssl: '0'
            ssl_cert: ''
            ssl_key: ''
            ssl_chain: ''
            ssl_certs_dir: ''
            ssl_protocol: ''
            ssl_cipher: ''
            directories:
                avd_qnc6vl7wwmuz:
                    path: /var/www/mikeyxkcd/web
                    options:
                        - Indexes
                        - FollowSymlinks
                        - MultiViews
                    allow_override:
                        - All
                    require:
                        - 'all granted'
                    custom_fragment: ''
                    files_match:
                        avdfm_58u1bdqnto16:
                            path: \.php$
                            sethandler: 'proxy:fcgi://127.0.0.1:9000'
                            custom_fragment: ''
                            provider: filesmatch
                    provider: directory
        av_7cfbsetnveh6:
            servername: mikeyxkcd.vagrant
            serveraliases:
                - mikeyxkcd
                - '*.vagrantshare.com'
            docroot: /var/www/mikeyxkcd/web
            port: '443'
            setenv:
                - 'APP_ENV dev'
            custom_fragment: ''
            ssl: '1'
            ssl_cert: ''
            ssl_key: ''
            ssl_chain: ''
            ssl_certs_dir: ''
            ssl_protocol: ''
            ssl_cipher: ''
            directories:
                avd_3r97fub30o8p:
                    path: /var/www/mikeyxkcd/web
                    options:
                        - Indexes
                        - FollowSymlinks
                        - MultiViews
                    allow_override:
                        - All
                    require:
                        - 'all granted'
                    custom_fragment: ''
                    files_match:
                        avdfm_vezl4lzit16a:
                            path: \.php$
                            sethandler: 'proxy:fcgi://127.0.0.1:9000'
                            custom_fragment: ''
                            provider: filesmatch
                    provider: directory
letsencrypt:
    install: '1'
    settings:
        email: ''
    domains: {  }
php:
    install: '1'
    settings:
        version: '56'
    modules:
        php:
            - cli
            - intl
            - mcrypt
            - curl
            - imagick
            - memcached
            - gd
        pear: {  }
        pecl: {  }
    ini:
        display_errors: 'On'
        error_reporting: '-1'
        session.save_path: /var/lib/php/session
        date.timezone: UTC
    fpm_ini:
        error_log: /var/log/php-fpm.log
    fpm_pools:
        phpfp_cusaw6h960kg:
            ini:
                prefix: www
                listen: '127.0.0.1:9000'
                security.limit_extensions: .php
                user: www-user
                group: www-data
    composer: '1'
    composer_home: ''
xdebug:
    install: '1'
    settings:
        xdebug.default_enable: '1'
        xdebug.remote_autostart: '0'
        xdebug.remote_connect_back: '1'
        xdebug.remote_enable: '1'
        xdebug.remote_handler: dbgp
        xdebug.remote_port: '9000'
        xdebug.max_nesting_level: '250'
blackfire:
    install: '0'
    settings:
        server_id: ''
        server_token: ''
        agent:
            http_proxy: ''
            https_proxy: ''
            log_file: stderr
            log_level: '1'
        php:
            agent_timeout: '0.25'
            log_file: ''
            log_level: '1'
xhprof:
    install: '0'
wpcli:
    install: '0'
    version: v0.19.0
drush:
    install: '0'
    version: 6.3.0
ruby:
    install: '1'
    versions:
        rv_2u2mrchjo5nk:
            version: ''
            gems:
                - sass
                - compass
python:
    install: '1'
    packages: {  }
    versions: {  }
nodejs:
    install: '1'
    settings:
        version: null
    npm_packages:
        - gulp
        - bower
        - uglify-js
        - uglifycss
hhvm:
    install: '0'
    nightly: 0
    composer: '1'
    composer_home: ''
    settings: {  }
    server_ini:
        hhvm.server.host: 127.0.0.1
        hhvm.server.port: '9000'
        hhvm.log.use_log_file: '1'
        hhvm.log.file: /var/log/hhvm/error.log
    php_ini:
        display_errors: 'On'
        error_reporting: '-1'
        date.timezone: UTC
mariadb:
    install: '0'
    settings:
        version: '10.1'
        root_password: '123'
        override_options: {  }
    adminer: 0
    users:
        mariadbnu_q8yug87b9olp:
            name: dbuser
            password: '123'
    databases:
        mariadbnd_s5k0t8v8psi2:
            name: dbname
            sql: ''
    grants:
        mariadbng_y2qtabtrfv9l:
            user: dbuser
            table: '*.*'
            privileges:
                - ALL
mysql:
    install: '1'
    settings:
        version: '5.6'
        root_password: '123'
        override_options: {  }
    adminer: 0
    users:
        mysqlnu_tl4w5sj73m0u:
            name: mikeyxkcd
            password: '123'
    databases:
        mysqlnd_xiljmfu0us6j:
            name: mikeyxkcd
            sql: ''
    grants:
        mysqlng_kqbn8zn9meke:
            user: mikeyxkcd
            table: 'mikeyxkcd.*'
            privileges:
                - ALL
postgresql:
    install: '0'
    settings:
        global:
            encoding: UTF8
            version: '9.3'
        server:
            postgres_password: '123'
    databases: {  }
    users: {  }
    grants: {  }
    adminer: 0
mongodb:
    install: '0'
    settings:
        bind_ip: 127.0.0.1
        port: '27017'
    globals:
        version: 2.6.0
    databases: {  }
redis:
    install: '0'
    settings:
        port: '6379'
sqlite:
    install: '0'
    adminer: 0
    databases: {  }
mailhog:
    install: '1'
    settings:
        smtp_ip: 0.0.0.0
        smtp_port: 1025
        http_ip: 0.0.0.0
        http_port: '8025'
        path: /usr/local/bin/mailhog
beanstalkd:
    install: '0'
    settings:
        listenaddress: 0.0.0.0
        listenport: '13000'
        maxjobsize: '65535'
        maxconnections: '1024'
        binlogdir: /var/lib/beanstalkd/binlog
        binlogfsync: null
        binlogsize: '10485760'
    beanstalk_console: 0
rabbitmq:
    install: '0'
    settings:
        port: '5672'
    users: {  }
    vhosts: {  }
    plugins: {  }
elastic_search:
    install: '0'
    settings:
        version: 1.4.1
        java_install: true
    instances: {  }
solr:
    install: '0'
    settings:
        version: 4.10.2
        port: '8984'

You might need to delete your existing box, and destroy your current vagrant instance for the project (tell me if there's anything special about my config), goodluck!

[ryanotella]

This still seems to be an issue in 1.8.7. Custom domains do solve the SNI/HTTP mismatch issue, but create a new issue of the mismatched SSL certificate for the custom domain.

I agree with @jonaseberle that is seems to be a problem with the vagrant share handling of standard *.vagrantshare.com hosts. Apache2 considers that a browser bug and responds with a 400, but it seems Nginx lets it through. At any rate, there doesn't seem to be a valid case for the HTTP Host header not matching the SNI host.

[chrisroberts]

Hi there,

Thanks for reporting this bug. I'm sure this was a real issue when originally reported (our fault for not looking sooner!) but there have been multiple Vagrant releases since the original report. I'm going to close this issue now and request you reopen the issue if you're still experiencing this problem. I'm sorry this wasn't looked at earlier ☹️

Cheers!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.