HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Secure My Apache Config (http://www.howtoforge.com/forums/showthread.php?t=41913)

carlosinfl 17th December 2009 14:21

Secure My Apache Config
 
I have a mail server running Postfix & Apache for web mail application. I followed this guide which walks you through creating 'self signed SSL certificates for Postfix and Dovecot. The SSL certs are working fine since I tested them with TLS / SASL via email however my question is can I also use the same generated SSL certificates to make my webmail session via Apache secure?

My DocumentRoot is configued to take you to *mydomain.us* and then there is a link for *mydomain.us/webmail* and the webmail sub directory is what I would like to be running on port 443.

Anyone know if this is possible with out some crazy configuration modifications? I would think I simply need to add a 'virtual host' entry in /etc/httpd/conf/httpd.conf file pointing to the location of my SSL certificates on the server.

Mark_NL 17th December 2009 15:08

You are correct sir :)

You need to create a new VirtualHost on port 443 and define ssl options inside that virtualhost scope

f.e.

Code:

<VirtualHost 1.2.3.4:443>
 VirtualDocumentRoot /path/to/your/webmail
 ServerName                webmail.yourdomain.tld

 SSLEngine On
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateKeyFile /path/to/your/ssl/cert/server.key
 SSLCertificateFile /path/to/your/ssl/cert/server.cert
</VirtualHost>

Your webmail will now be available through: https://webmail.yourdomain.tld

carlosinfl 17th December 2009 15:23

Quote:

Originally Posted by Mark_NL (Post 213817)
f.e.

Code:

<VirtualHost 1.2.3.4:443>
 VirtualDocumentRoot /path/to/your/webmail
 ServerName                webmail.yourdomain.tld

 SSLEngine On
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateKeyFile /path/to/your/ssl/cert/server.key
 SSLCertificateFile /path/to/your/ssl/cert/server.cert
</VirtualHost>

With my current config without the SSL or Virtual Host, I access webmail only by going to www.mydomain.tld/webmail.

Your webmail will now be available through: https://webmail.yourdomain.tld

Oh so now with this entry I can access my webmail server with an alias? Even if my server hostname is not 'webmail', I should still be able to do some kind of redirect from https://www.yourdomain.tld >> https://webmail.yourdomain.tld?

carlosinfl 17th December 2009 15:24

Quote:

Originally Posted by Mark_NL (Post 213817)
f.e.

Code:

<VirtualHost 1.2.3.4:443>
 VirtualDocumentRoot /path/to/your/webmail
 ServerName                webmail.yourdomain.tld

 SSLEngine On
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateKeyFile /path/to/your/ssl/cert/server.key
 SSLCertificateFile /path/to/your/ssl/cert/server.cert
</VirtualHost>

With my current config without the SSL or Virtual Host, I access webmail only by going to www.mydomain.tld/webmail.

Your webmail will now be available through: https://webmail.yourdomain.tld

Oh so now with this entry I can access my webmail server with an alias? Even if my server hostname is not 'webmail', I should still be able to do some kind of redirect from https://www.yourdomain.tld >> https://webmail.yourdomain.tld?

Right now w/o the SSL or Virtual Host config, I access my webmail via http as www.mydomain.tld/webmail.

Mark_NL 17th December 2009 15:44

So currently you have:
http://www.mydomain.tld/webmail

and you want to reach webmail via
https://www.mydomain.tld/webmail
as well?

Since webmail is an alias (points to a Directory directive), you would need to config a global SSL setting so you can reach ALL website with or w/o SSL ..

if you run one domain on it and want normal/ssl connections to the website and the webmail alias, just copy and paste your existing VirtualHost, change the port to 443 and add the SSL options, save, restart, done. :)

carlosinfl 17th December 2009 19:05

Thanks all for the awesome help. I will do this today and post back if something doesn't work.

-Carlos

carlosinfl 17th December 2009 20:18

There is no "Virtual Host" entry in my 'httpd.conf' file but I did find on my Linux distribution (Arch Linux) a /etc/httpd/conf/extra/httpd-ssl.conf. In that file I have the following:

Code:

Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/httpd/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex  "file:/var/run/httpd/ssl_mutex"

<VirtualHost _default_:443>

DocumentRoot "/srv/http/webmail"
ServerName www.mydomain.tld:443
ServerAdmin admin@mydoma.tld
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/path/to/server.crt"
SSLCertificateKeyFile "/path/to/server.key"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/srv/http/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

CustomLog "/var/log/httpd/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Do I need to copy the uncommented entries I posted above from the httpd-ssl.conf file to the bottom of my httpd.conf file?


All times are GMT +2. The time now is 09:52.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.