403 Forbidden on all http

OS type and version Ubuntu Linux 20.04.4
Virtualmin version 7.1-1 Pro

I just started noticing that any time someone tries going to any of my hosted domains with http instead of https, it brings up a 403 Forbidden page. I have [Redirect all requests to SSL site] selected for all sites, but it’s still throwing this error.
I have searched Google, and the VirtualMin forums, but can’t find anything that matches my issue.
Upon doing a Domain Health Check on my primary domain, I get:
The remote server returned an error: (403) Forbidden. (http://pppwh.com)
This happens on all domains but one. I have compared the Website Options page for each one, and they’re all identical.
Any ideas why it’s not redirecting like it should? Thanks.

It sounds like there is some error in the http → https redirect,

If you get 403 on all except for one site hosted, it is likely because the redirect does try to redirect to the main / default domain for the IP, or there is an error with the redirect regular expression that matches, rewrites the URL and then “forwards” the client to the https equivalent domain.

  • What webserver are you useing? nginx / apache?

I’m using Apache

you totally lost me on that one. LOL

Okay, apache is a good start,

Already getting lost at this level may not help making things easy to fix it, though we can still try to get you to understand how this works and see if we can find a fix.

The virtualmin setting: “Always redirect to ssl website” makes things work in a way that sites are always using HTTPS as a protocol, ensuring that no one is able to snoop the contents of the connection, and as such keeping the connection contents private between the client and server. ( the web-browser is the client, the server is “the Apache daemon” )

Now often clients do not type explicit httpS:// they just assume that happens automatically. Virtualmin does try to make this happen by “redirecting” a client that connects using http to https. this can be done in 2( actually some more ) ways:

Either the server has configurations for both http and https for all the sites(domains) it hosts, the http part of these sites does not actually serve content, it just “rewrites” the protocol part of the requested url and then redirects the client to the actual server on the https side of things.

Or it has just one “default” http site, that is configured to "rewrite: and then “redirect” the client to the requested url ( site / domain + path ) on the httpS protocol.

Generally speaking the last option is used the most as it makes a lot less configuration needed. To determine where to “redirect” the client a regular expression is used to split the incoming request into its parts, then change the protocol part of that request, merge them back together, and sent the result back to the client informing them to request the new (now httpS) url instead. for some more info on regular expressions look at Apache mod_rewrite Introduction - Apache HTTP Server Version 2.4 it has a more in detail explanation on regular expressions to rewrite rules. though that happens on the server side. the same principle applies for redirects.

the bigger question now becomes how to explain this relatively easy thing that gets complicated very quickly if you do not understand how this is achieved.

As a first step you should figure out how your server is configured to redirect from http to https. you can do that by opening the apache config file ( webmin → servers → apache webserver → tab “global configuration” → button “edit config files” )

In this file you should be able to find a hand full of tags that look like:

<VirtualHost xxx.xxx.xxx.xxx:80> .../ /... ServerName somedomain.com .../ /... </VirtualHost>

if you find more then 1 of those “blocks” that have :80 in them, it means that you have multiple sites that are both responding on http and https. if there is just one “listen :80” and no virtualhost xx:80 blocks" you have just the default domain that does the redirects

Given this support thread in text will take hours to write out and send back and forth on a forum i think you are best served by someone experienced who can real-time help you with some “shared screen and instructions” alike support. Or you have to very quickly deep dive in understanding Apache configuration and it’s directives. ( some google keywords would be: redirect http to https apache multiple virtualhost ) While this is not impossible, it may also break more in virtualmin then you expect, as it all is somewhat linked into one, where virtualmin expects some things to be done a certain way.

the thing you are looking for that is broken / misconfured for the setup looks something like this:

RewriteEngine On 
RewriteCond %{HTTPS}  !=on 
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

If wanted you could sent me a DM and i may be able to look into this with you in a voice conversation with a shared screen, for example on discord. Given the fact you seem to be running this as a business setup, you may also consider requesting official support from the web/virtualmin team, as that provides you with more guarantees then i can.


Let me explain what confused me (I’m not confused over the whole apache and site settings details). I hadn’t had my morning coffee yet (I know, I shouldn’t have replied until after I did. LOL).
I do know mostly what I’m doing here. I don’t want to come off as a ‘complete’ noob. I’ve been hosting for years, however I’m only just learning VirtualMin’s ins and outs. I did read as much as possible before trying VirtualMin and thought I was knowledgeable enough to go ahead fully with my own hosting.
I even bought a ProLiant DL380 G7 Server to host on.

<VirtualHost xxx.xxx.xxx.xxx:80> .../ /... ServerName somedomain.com .../ /... </VirtualHost>

There is nothing in my apache2.conf file with those. Even looking up a default conf file, it doesn’t show any of those. But obviously they are in each of the sites-available conf files.

However, when I was doing my Google searches about this issue, I did come across various pages with suggestions on the rewrite rule, but it seems there are thousands of opinions about which is the best practice. All the ones I did try, didn’t seem to do anything.
Each sites conf file has the following:

RewriteEngine on
RewriteRule ^(?!/.well-known)(.*) https://pppwh.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.pppwh.com
RewriteRule ^(?!/.well-known)(.*) https://pppwh.com:10000/ [R]

Obviously changing the domain name on each one. So it seems VirtualMin is only redirecting the access to WebMin? Am I reading that correctly?

So the question would be, should this code you shared also be included in each sites conf files? It’s very similar to the ones I did try but not exactly.

RewriteEngine On 
RewriteCond %{HTTPS}  !=on 
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Thanks for your help with this. If I can’t get all this fixed here with other users input, then I will be getting ahold of the VirtualMin team to continue researching the issue.

So I’ve still been struggling with this. But I hope to have uncovered something that I think might help get me pointed in the right direction (fingers crossed):
If I just type the domain name: ie example.com it works, taking it to the HTTPS site.
But if I type: http://example.com it throws the 403 Forbidden error.

So it IS redirecting, but not if the HTTP is manually typed in.

Hopefully this helps someone point me in the right direction to rectify this issue.

(post deleted by author)

Assuming you get 403 on all aside from one site facilitated, it is logical on the grounds that the divert attempts to divert to the fundamental/default space for the IP, or there is a mistake with the divert standard articulation that matches, changes the URL and afterward “advances” the client to the https comparable area.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.