Using SSL with ISPConfig3

[pfahrun]

Dear ISPConfig3 admins,

I installed my ISPConfig3 recently on a Debain server based on the common HowTo HowTo.

Everything is working fine (PureFTPd, Postfix, Apache2, etc.). However I am experiencing trouble in using SSL on a website. I followed this instruction - but it will not work properly. As outlined in the instruction and the manual I assigned the server IP to the website. Although SSL is working now, I cannot reach my other websites, which i configured in ISPConfig3. I get always reditirected to the SSL website. If I leave the IP, SSL is not working, but at least my other websites are working.

Do you have any idea how to solve it? It is driving me crazy...

System:
Debian Server on a virtual machine with VMWare | One unique physical IP

In the following you find the config Files.
httpd.conf - kein Inhalt

port.conf

Code:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

ISPConfig.config

Code:

################################################
# ISPConfig Logfile configuration for vlogger
################################################

LogFormat "%v %h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig
CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m%d-access.log\" -d \"/etc/vlogger-dbi.conf\" /var/log/ispconfig/httpd" combined_ispconfig

<Directory /var/www/clients>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

# Do not allow access to the root file system of the server for security reasons
<Directory />
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

<Directory /var/www/conf>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

# Except of the following directories that contain website scripts
<Directory /usr/share/phpmyadmin>
        Order allow,deny
        Allow from all
</Directory>

<Directory /usr/share/phpMyAdmin>
        Order allow,deny
        Allow from all
</Directory>

<Directory /usr/share/squirrelmail>
        Order allow,deny
        Allow from all
</Directory>

# allow path to awstats and alias for awstats icons
<Directory /usr/share/awstats>
        Order allow,deny
        Allow from all
</Directory>

Alias /awstats-icon "/usr/share/awstats/icon"


NameVirtualHost *:80 
NameVirtualHost *:443

vhost file for the SSL website:

Code:

    # suexec enabled
    SuexecUserGroup web8 client1
    # Clear PHP settings of this website
    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler None
    </FilesMatch>
    # php as fast-cgi enabled
	# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
    <IfModule mod_fcgid.c>
        IdleTimeout 300
        ProcessLifeTime 3600
        # MaxProcessCount 1000
        DefaultMinClassProcessCount 0
        DefaultMaxClassProcessCount 100
        IPCConnectTimeout 3
        IPCCommTimeout 360
        BusyTimeout 300
    </IfModule>
    <Directory /var/www/login1.tld/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/clients/client1/web8/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>


    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId web8 client1
    </IfModule>

    <IfModule mod_dav_fs.c>
	  # Do not execute PHP files in webdav directory
      <Directory /var/www/clients/client1/web8/webdav>
	    <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
      </Directory>
      # DO NOT REMOVE THE COMMENTS!
      # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
      # WEBDAV END
    </IfModule>


</VirtualHost>
<VirtualHost *:443>
      DocumentRoot /var/www/login1.tld/web
  
    ServerName login1.tld
    ServerAlias www.login1.tld
    ServerAdmin webmaster@login1.tld

    ErrorLog /var/log/ispconfig/httpd/login1.tld/error.log


    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 502 /error/502.html
    ErrorDocument 503 /error/503.html

    <IfModule mod_ssl.c>
	SSLEngine on
    SSLCertificateFile /var/www/clients/client1/web8/ssl/login1.tld.crt
    SSLCertificateKeyFile /var/www/clients/client1/web8/ssl/login1.tld.key
    </IfModule>
    <Directory /var/www/login1.tld/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/clients/client1/web8/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>



    # suexec enabled
    SuexecUserGroup web8 client1
    # Clear PHP settings of this website
    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler None
    </FilesMatch>
    # php as fast-cgi enabled
	# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
    <IfModule mod_fcgid.c>
        IdleTimeout 300
        ProcessLifeTime 3600
        # MaxProcessCount 1000
        DefaultMinClassProcessCount 0
        DefaultMaxClassProcessCount 100
        IPCConnectTimeout 3
        IPCCommTimeout 360
        BusyTimeout 300
    </IfModule>
    <Directory /var/www/login1.tld/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/clients/client1/web8/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>


    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId web8 client1
    </IfModule>

    <IfModule mod_dav_fs.c>
	  # Do not execute PHP files in webdav directory
      <Directory /var/www/clients/client1/web8/webdav>
	    <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
      </Directory>
      # DO NOT REMOVE THE COMMENTS!
      # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
      # WEBDAV END
    </IfModule>


</VirtualHost>

[pfahrun]

Warum ist die httpd.conf eigetnlcih leer? Ist das normal bei ISPConfig3?

[till]

Dont mix * and IP in the website settings. Set all websites to use the IP address and not *.

Quote:

Warum ist die httpd.conf eigetnlcih leer? Ist das normal bei ISPConfig3?

Thats normal on Debian Linux and not related to ISPConfig. The file exists on Debian for legacy reasons and is not used anymore.

[pfahrun]

Thank you Till.

I assigned the IP to all websites. But I still have the weird problem that independently from the entered domain only one (my joomla page) is opened. Except when I use the prefix https:// for my ssl website - Than the website will be opened. Any ideas?

I associated the domains with the IP address of my server in the host file of my windows client (C:\Windows\System32\drivers\etc) to access the websites. I do not think that there is something wrong as it worked fine without SSL.

[till]

SSL is a IP based protocol, so when you use https, then the only ssl based website will get opned that is defoned on that IP. The domain name does not matter here.

If you use http, then apache should show the website based on the Domain name. You should ensure that all domains point to that IP in dns and that they have a a record for the domain and a a or cname record for the www subdomain and that auto subdomain www is enabled in the website in all sites.

The behaviour that I described here is the normal behaviour of apache when you use ssl, for that reason you use normally a dedicated IP address for the SSL website which is not used by any other site.

[pfahrun]

It is kind of weird - even if I disable SSL and assign IPs to my various webistes only the first website, I assigned the IP to is shown for every domain. Kind of funny that it is working (without SSL) if I use * for the IP....I have the feeling ISPConfig 3 attempts to drive me crazy...

Do I realy need to use DNS? TO be honest I have no idea how to configure it properly. What do I enter for ns1 and ns2?

Thank you very much in advance.

[pfahrun]

I also added DNS entries for every domain - still nothing is working. A ssoon as I use the static IP for one website every domain request shows the same website....I have no clue what I am doing wrong

[falko]

Can you check if your hostnames/domains point to the correct IP addresses? You can check like this:

Code:

dig www.yourdomain.com