HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   3 Question SSL cert, https redirect, WebFtp, (http://www.howtoforge.com/forums/showthread.php?t=52340)

serkejal 17th April 2011 15:26

4 Questions SSL cert, https redirect, WebFtp,Bind
 
Hi, i have 4 questions about configuration of secure access,web ftp and bind views

1) i've created a SSL cert and redirected the http address for roundcube and phpmyadmin on https and everything is all right. But when a user visits a site created with Ispconfig to acces to the webmail (e.g. http://www.example.com/webmail) the browser will redirect to https correctly but alert the user that the CN of cert doesn't match the site this is because the CN is the main site or the common name of the server. what can i do?would be possibile to redirect all site/webmail to mainsite/webmail to avoid the alert that CN doesn't match?
1a) when i set ssl for a domain , it can be accessed either via http and https , How can i restric to only https?

2) when a user visits the panel ISPConfig via the http is shown a page that warns you to use https ... is possible redirect to https automatically?

3) Can u tell me a good webFTP client compatible with ispconfig?

4) Can i configure Bind for internal and external "view" through Ispconfig?

to create a cert and to redirect traffic i used this post and this tutorial

ncoc.nl 17th April 2011 20:02

The redirection from http to https can be done in different ways, the first option(s) I think about:

Create a subdomain redirecting to your https site.
Put a php or html page redirecting to your https sit, e.g.:

PHP Code:

<?php 
Header
("Location: https://yourmainsite/webmail");
?>

regards,
Ronald

serkejal 17th April 2011 20:42

Quote:

Originally Posted by ncoc.nl (Post 255483)
The redirection from http to https can be done in different ways, the first option(s) I think about:

Create a subdomain redirecting to your https site.
Put a php or html page redirecting to your https sit, e.g.:

PHP Code:

<?php 
Header
("Location: https://yourmainsite/webmail");
?>

regards,
Ronald

i use to redirect to https the mod_rewrite and mod_ssl in apache configuration file of roundcube and phpmyadmin..the problem is that i want redirect all domain.com/webmail to maindomain.com/webmail (or deactive the access from domain.com/webmail) to pass the ssl check on Common Name..
your solution is good for a subdomain like webmail.domain.com...and the use of a redirect in php or html don't redirect all http query to https but only a particular query..

ncoc.nl 17th April 2011 21:03

Hi,

Another possibilty is an .htaccess file:

Redirect 301 /webmail https://your mainsite/webmail

Not that nice but it's working

serkejal 19th April 2011 00:05

I found another way... from this tutorial i have changed this part
Code:

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>

to this.
Code:

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC,OR]
      RewriteCond %{HTTP_HOST} !^my\.main\.domain:50443 [NC]
      RewriteRule  . https://my.main.domain:50443%{REQUEST_URI} [R,L]
    </Location>
  </IfModule>
</IfModule>

so all domains/webmail is redirected to maindomain/webmail ..
now all the http requests are redirected properly, without certification problems.
otherwise https requests made ​​directly to domain/webmail before being redirected verify the certificate..and give the above error ...I do not think there is a solution ...
Is it ,in these cases, useful to have a wildcard certificate?
can I disable access to ISPConfig RoundCube, phpmyadmin on other domain to force everyone to pass from the primary domain?

and then are also other questions ;)

ncoc.nl 19th April 2011 00:23

There could be a problem with your solution: firewall issues
What if the choosen port (50443) is blocked?

About your other questions:

I don't use webftp so in this case I do not have an answer.
About your bind question, what do you mean by "Can i configure Bind for internal and external "view" through Ispconfig?"

Possibly the answer is as followed, for ip4 you can add the line:

listen-on { any; };

in /etc/bind/named.conf.options.

This will force bind to listen on all ip addresses (including localhost)

Regards,
Ronald

serkejal 19th April 2011 15:30

i open the port on my router and firewall (also software) and i don't have any problem with incoming connection, i think that nobody block outcoming traffic on a port....

for bind i mean a configuration like this
Code:

Example named.conf

// This is the primary configuration file for the BIND DNS server named.
// This is for example only

acl "dns_slaves" {
        172.16.1.2;                                # IP of the slave DNS nameserver
        172.16.101.2                                # ditto
};

acl "lan_hosts" {
        192.168.0.0/24;                                # network address of your local LAN
        127.0.0.1;                                # allow loop back
};

options {                                        # this section sets the default options
        directory "/etc/namedb"                        # directory where the zone files will reside
        listen-on {
                192.168.0.1;                        # IP address of the local interface to listen
                127.0.0.1;                        # ditto
        };
        auth-nxdomain no;                        # conform to RFC1035
        allow-query { any; };                        # allow anyone to issue queries
        recursion no;                                # disallow recursive queries unless over-ridden below
        version "0";                                # obscures version reporting - can't hurt
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "nOzUd7+Hwdq6k6CQq7SbDw==";        # DO NOT USE THIS KEY - example only
};

controls {
        inet 127.0.0.1 allow { localhost; }
        keys { rndc-key; };
};

view "internal" {
        match-clients { lan_hosts; };                # match hosts in acl "lan_hosts" above
        recursion yes;                                # allow recursive queries
        notify no;                                # disable AA notifies

        // prime the server with knowledge of the root servers
        zone "." {
                type hint;
                file "db.root";
        };
        // be authoritative for the localhost forward and reverse zones, and for
        // broadcast zones as per RFC 1912
        zone "localhost" {
                type master;
                file "db.local";
        };
        zone "127.in-addr.arpa" {
                type master;
                file "db.127";
        };
        zone "0.in-addr.arpa" {
                type master;
                file "db.0";
        };
        zone "255.in-addr.arpa" {
                type master;
                file "db.255";
        };
        zone "example.com" {
                type master;
                file "internal/example.com.zone";
        };
};

view "external" {

        // "localnets" and "any" are special reserved words
        // "localnets" mean any network address (as opposed to host address) configured
        // on the local network interfaces - "!" means to negate
        match-clients { !localnets; any; };
        recursion no;                        # disallow recursive queries
        allow-transfer { dns_slaves; };        # allow "hosts in act "dns_slaves" to transfer zones

        zone "example.com" {
                type master;
                file "external/example.com.zone";
        };
};


ncoc.nl 19th April 2011 17:52

The firewall thing wasn't meant for your firewall, the first thing is opening this port for accessing your site. What I mean is that when harding outbound traffic (as I do for companies) is only allow regular ports like http and https
to access the outside world, 50443 is not in this list.

What is the goal of your DNS config, I notice several subnets, can you provide some more info?

serkejal 19th April 2011 20:10

thanks for answers ..
I used that door just because it is not a conventional door (actually that is the door recommended by the tutorial, I've put another;) ), so it is more difficult to get the ISPConfig login page for an attacker , and a sniff show the door open without being able to say that service is (in theory).
certain that in the case of a corporate network that passes through proxies and firewalls are also filter outgoing ports could be a problem, but in any case I think that should be studied for the special case ...
for now my configuration is only meant to know the dynamics of a LAMP server and do a bit of practice, my server runs on a virtual machine on a desktop host...
About bind I posted an example found on internet, i see that a single Dns Server can act for both internal and external network, when specially configured ... I'm want to change the host file of the various PCs on the network :D for now I did for only one on which i work ....


All times are GMT +2. The time now is 06:00.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.