HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=29)
-   -   howto implement ssl (http://www.howtoforge.com/forums/showthread.php?t=51575)

menahem 22nd February 2011 22:00

howto implement ssl
 
Hi All,

How can this tutorial http://howtoforge.net/hosting-multip...s-debian-lenny can be implemented foe websites managed by ispconfig 3.x.x?

Thank you.

Menahem

falko 23rd February 2011 15:39

I haven't tried this. I guess you will have to change your vhost configurations manually (maybe it can also be done using ISPConfig's Apache Directives field).

menahem 23rd February 2011 21:18

falko,

It is working but i need your eyes over it to help me do it on another server.
What i did is:
preliminary notes:

A. I used ispconfig manual in order to have SSL configured.
B. The server i used has 1 IP address with numerous virtual hosts on it. That meas that (With accordance to the ispconfig manual) only one Vhost can have the SSL certificate.

The Howto:
I set to one of the Vhosts it own SSL certificate.
then:
Code:

vi /etc/apache2/sites-available/default-ssl
And chanced it from:
Code:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
       
        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

to:
Code:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
       
        DocumentRoot /var/www/example.com/web
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/example.com/web>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

And then restarted apache with:
Code:

/etc/init.d/apache2 restart
I ended with the following:
When ever i do https://example.com, i get an answer feom the server and everything looks o.k. - But: when ever i do https://hostname.com i am redirected by the server to example.com or ,if you like, to /var/www/example.com/web.
As far as i can see with this server configuration only one Vhost can have SSL access because there is only 1 SSL certificate to it IP address.
That is fine.

Now i need your help/opinion regarding another server who have 4 ip address and many Vhosts on any IP address. This server is a production server and i do not and can not play with it.

I think that it can be done by adding multiple data to default-ssl it might look like this (but i am not shure about that):
Code:

<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
       
        DocumentRoot /var/www/example.com/web
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/example.com/web>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
       
        DocumentRoot /var/www/domain.com/web
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/domain.com/web>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
       
        DocumentRoot /var/www/domain2.com/web
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/domain2.com/web>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

Thank`s for your help. Please advice.
Menahem

i-chat 23rd March 2011 12:24

would it be posible to include a patch that we can apply to the code (or a module of some kind) to be able to do this standaard for all users.

an alternative option - but im not sure if that could even work, would be to allow both methods,

sinse we already have 1ip we might want to enable default ssl for the ISPConfig pannel so that we're sure that that's always safe (including older browsers),

> we could enable it on a non default port as webmin or plesk has it.
so you would do server1.mywebhostingcompany.com:12322/ to get to your ssl protected management panel, and we could than still use sni on port 433 (with a warning (or a gracefull degradation), to users who want there websites protected.

till 23rd March 2011 17:22

Quote:

> we could enable it on a non default port as webmin or plesk has it.
Thats what ISPConfig is doing already, you can enable ssl when you run a ispconfig update on your system in the ispconfig installer. You dont need the approach described above for that, as you can rin as many ssl certs as you like with openssl when they use different ports. The above approach is only about using multi ssl certs on the same port and same IP.

i-chat 23rd March 2011 19:27

sorry if i wasn't being clear enought, what i meen is, 1cert to rule them all (no really, just for the admin interface), and SNI for the rest of it.

i would like to have none-sni supporting browers still at least to be able to use the admin interface, while users who dont care so mutch about backwardcompatiblillity can have ssl based websites also (for say joomla's admin interface or stuf like OScommerce.

this however would require some php code (i think) that could manage SNI, and its certs,

i think that ano 2011 not supporting sni is like building a website in ms word '98 it mostly works but its not what you'd expect.

on a client side i would probly write some jscript or php+jscript warning msg that detects ms win xp, and recomends updating to at least firefox 3.6 or upgrading their os to supporting versions.


All times are GMT +2. The time now is 18:39.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.