Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th April 2011, 14:26
serkejal serkejal is offline
Junior Member
 
Join Date: Apr 2011
Posts: 11
Thanks: 0
Thanked 0 Times in 0 Posts
Default 4 Questions SSL cert, https redirect, WebFtp,Bind

Hi, i have 4 questions about configuration of secure access,web ftp and bind views

1) i've created a SSL cert and redirected the http address for roundcube and phpmyadmin on https and everything is all right. But when a user visits a site created with Ispconfig to acces to the webmail (e.g. http://www.example.com/webmail) the browser will redirect to https correctly but alert the user that the CN of cert doesn't match the site this is because the CN is the main site or the common name of the server. what can i do?would be possibile to redirect all site/webmail to mainsite/webmail to avoid the alert that CN doesn't match?
1a) when i set ssl for a domain , it can be accessed either via http and https , How can i restric to only https?

2) when a user visits the panel ISPConfig via the http is shown a page that warns you to use https ... is possible redirect to https automatically?

3) Can u tell me a good webFTP client compatible with ispconfig?

4) Can i configure Bind for internal and external "view" through Ispconfig?

to create a cert and to redirect traffic i used this post and this tutorial

Last edited by serkejal; 17th April 2011 at 15:48.
Reply With Quote
Sponsored Links
  #2  
Old 17th April 2011, 19:02
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Default

The redirection from http to https can be done in different ways, the first option(s) I think about:

Create a subdomain redirecting to your https site.
Put a php or html page redirecting to your https sit, e.g.:

PHP Code:
<?php 
Header
("Location: https://yourmainsite/webmail");
?>
regards,
Ronald
Reply With Quote
  #3  
Old 17th April 2011, 19:42
serkejal serkejal is offline
Junior Member
 
Join Date: Apr 2011
Posts: 11
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ncoc.nl View Post
The redirection from http to https can be done in different ways, the first option(s) I think about:

Create a subdomain redirecting to your https site.
Put a php or html page redirecting to your https sit, e.g.:

PHP Code:
<?php 
Header
("Location: https://yourmainsite/webmail");
?>
regards,
Ronald
i use to redirect to https the mod_rewrite and mod_ssl in apache configuration file of roundcube and phpmyadmin..the problem is that i want redirect all domain.com/webmail to maindomain.com/webmail (or deactive the access from domain.com/webmail) to pass the ssl check on Common Name..
your solution is good for a subdomain like webmail.domain.com...and the use of a redirect in php or html don't redirect all http query to https but only a particular query..
Reply With Quote
  #4  
Old 17th April 2011, 20:03
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Default

Hi,

Another possibilty is an .htaccess file:

Redirect 301 /webmail https://your mainsite/webmail

Not that nice but it's working
Reply With Quote
  #5  
Old 18th April 2011, 23:05
serkejal serkejal is offline
Junior Member
 
Join Date: Apr 2011
Posts: 11
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I found another way... from this tutorial i have changed this part
Code:
<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>
to this.
Code:
<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC,OR]
      RewriteCond %{HTTP_HOST} !^my\.main\.domain:50443 [NC]
      RewriteRule  . https://my.main.domain:50443%{REQUEST_URI} [R,L]
    </Location>
  </IfModule>
</IfModule>
so all domains/webmail is redirected to maindomain/webmail ..
now all the http requests are redirected properly, without certification problems.
otherwise https requests made ​​directly to domain/webmail before being redirected verify the certificate..and give the above error ...I do not think there is a solution ...
Is it ,in these cases, useful to have a wildcard certificate?
can I disable access to ISPConfig RoundCube, phpmyadmin on other domain to force everyone to pass from the primary domain?

and then are also other questions
Reply With Quote
  #6  
Old 18th April 2011, 23:23
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Default

There could be a problem with your solution: firewall issues
What if the choosen port (50443) is blocked?

About your other questions:

I don't use webftp so in this case I do not have an answer.
About your bind question, what do you mean by "Can i configure Bind for internal and external "view" through Ispconfig?"

Possibly the answer is as followed, for ip4 you can add the line:

listen-on { any; };

in /etc/bind/named.conf.options.

This will force bind to listen on all ip addresses (including localhost)

Regards,
Ronald
Reply With Quote
  #7  
Old 19th April 2011, 14:30
serkejal serkejal is offline
Junior Member
 
Join Date: Apr 2011
Posts: 11
Thanks: 0
Thanked 0 Times in 0 Posts
Default

i open the port on my router and firewall (also software) and i don't have any problem with incoming connection, i think that nobody block outcoming traffic on a port....

for bind i mean a configuration like this
Code:
Example named.conf

// This is the primary configuration file for the BIND DNS server named.
// This is for example only

acl "dns_slaves" {
	172.16.1.2;				# IP of the slave DNS nameserver
	172.16.101.2				# ditto
};

acl "lan_hosts" {
	192.168.0.0/24;				# network address of your local LAN
	127.0.0.1;				# allow loop back
};

options {					# this section sets the default options
	directory "/etc/namedb"			# directory where the zone files will reside
	listen-on {
		192.168.0.1;			# IP address of the local interface to listen
		127.0.0.1;			# ditto
	};
	auth-nxdomain no;			# conform to RFC1035
	allow-query { any; };			# allow anyone to issue queries
	recursion no;				# disallow recursive queries unless over-ridden below
	version "0";				# obscures version reporting - can't hurt
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "nOzUd7+Hwdq6k6CQq7SbDw==";	# DO NOT USE THIS KEY - example only
};

controls {
        inet 127.0.0.1 allow { localhost; }
        keys { rndc-key; };
};

view "internal" {
        match-clients { lan_hosts; };		# match hosts in acl "lan_hosts" above
        recursion yes;				# allow recursive queries
        notify no;				# disable AA notifies

        // prime the server with knowledge of the root servers
        zone "." {
                type hint;
                file "db.root";
        };
        // be authoritative for the localhost forward and reverse zones, and for
        // broadcast zones as per RFC 1912
        zone "localhost" {
                type master;
                file "db.local";
        };
        zone "127.in-addr.arpa" {
                type master;
                file "db.127";
        };
        zone "0.in-addr.arpa" {
                type master;
                file "db.0";
        };
        zone "255.in-addr.arpa" {
                type master;
                file "db.255";
        };
        zone "example.com" {
                type master;
                file "internal/example.com.zone";
        };
};

view "external" {

	// "localnets" and "any" are special reserved words
	// "localnets" mean any network address (as opposed to host address) configured
	// on the local network interfaces - "!" means to negate
        match-clients { !localnets; any; };
        recursion no;			# disallow recursive queries
        allow-transfer { dns_slaves; };	# allow "hosts in act "dns_slaves" to transfer zones

        zone "example.com" {
                type master;
                file "external/example.com.zone";
        };
};
Reply With Quote
  #8  
Old 19th April 2011, 16:52
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Default

The firewall thing wasn't meant for your firewall, the first thing is opening this port for accessing your site. What I mean is that when harding outbound traffic (as I do for companies) is only allow regular ports like http and https
to access the outside world, 50443 is not in this list.

What is the goal of your DNS config, I notice several subnets, can you provide some more info?
Reply With Quote
  #9  
Old 19th April 2011, 19:10
serkejal serkejal is offline
Junior Member
 
Join Date: Apr 2011
Posts: 11
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

thanks for answers ..
I used that door just because it is not a conventional door (actually that is the door recommended by the tutorial, I've put another ), so it is more difficult to get the ISPConfig login page for an attacker , and a sniff show the door open without being able to say that service is (in theory).
certain that in the case of a corporate network that passes through proxies and firewalls are also filter outgoing ports could be a problem, but in any case I think that should be studied for the special case ...
for now my configuration is only meant to know the dynamics of a LAMP server and do a bit of practice, my server runs on a virtual machine on a desktop host...
About bind I posted an example found on internet, i see that a single Dns Server can act for both internal and external network, when specially configured ... I'm want to change the host file of the various PCs on the network for now I did for only one on which i work ....
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't use self-signed SSL after adding real SSL cert mrjohn Installation/Configuration 1 11th January 2011 06:31
SSL Cert Question for ISPConfig Access giganet Installation/Configuration 33 28th March 2009 07:56
Generating SSL Cert question satimis Server Operation 4 25th February 2008 15:15
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59
New SSL Cert PoleCat Installation/Configuration 15 4th July 2007 10:13


All times are GMT +2. The time now is 15:21.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.