Force https

[cfoe]

Hi ISPConfig Devs,

I am currently in the re-customization phase after the latest ISPConfig 3 Update.

I am using a .htaccess file to enforce SSL on the subdomain of the control-panel. For me this is not the most elegant way of solving the problem.
Roundcube has a nice variable called "force_https". If it is true ssl is enforced.

The implementation in the index.php (of Roundcube 0.8 beta):

Code:

// check if https is required (for login) and redirect if necessary
if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
  $https_port = is_bool($force_https) ? 443 : $force_https;
  if (!rcube_https_check($https_port)) {
    $host  = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
    $host .= ($https_port != 443 ? ':' . $https_port : '');
    header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
    exit;
  }
}

This way it would work "out-of-the-box" without .htaccess file in Apache and nginx.
I hope this could be taken into consideration for the next minor release.

Feature Request: http://bugtracker.ispconfig.org/inde...ls&task_id=215

Greatings from Germany,
Christian

[till]

Roundcube and its code is not part of ispconfig. So if you need a change in the roundcuvbe index file, then you might want to post your feature request in the roundcube bugtracker,

[cfoe]

The Code is just an example for inspiration for ISPConfig. It is the implementation of Roundcube.
I just wanted to emphasize how it could be done independently from the used webserver.

[wichu]

I would rather suggest that an option would be implemented into the user-interface to force SSL with this statement in the vhost-file:

Code:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

[cfoe]

Your solution is not bad for Apache. Do you have the rules for nginx?
With the info the feature might be half done.
Integration should be easy. For an experienced dev like the ispc folks

[till]

The problem is that neither the php code nor the apache rewrite rule will work for this purpose on a ispconfig setup. The reason is that the ispconfig controlpanel uses port based ssl and that ispconfig is not installed into a website like a webmail client like roundcube. ISPconfig runs on a dedicated port like 8080 and this port supports either ssl or plain http but not both. So you can only connect to ispconfig with ssl or without ssl, switching between ssl and non ssl with a rewrite rule or php code will not work as there is no option to switch to.

Switching to ssl can only work if you installed ispconfig on a dedicated IP address on port 443 and when port 80 on the same IP address is enabled as well. But that not the case in any default install as most poeple dont have any spare dedicated IPv4 adresses that they want to use for the controlpanel only without hosting any websites on it.

[wichu]

Yes, my solution would only work for Apache, but after a quick search I found this:

http://serverfault.com/questions/250...o-ssl-in-nginx

Code:

rewrite     ^   https://$server_name$request_uri? permanent;

[cfoe]

You could add the combined code here:
http://bugtracker.ispconfig.org/inde...t=3&opened=799

[wichu]

I'm hosting my ISPConfig Admin-Panel through the webserver (a separate instance of ISPConfig) on Apache and through the mod_proxy module.

It is a bit complicated, but it works.

[cfoe]

Quote:

Originally Posted by till

The problem is that neither the php code nor the apache rewrite rule will work for this purpose on a ispconfig setup. The reason is that the ispconfig controlpanel uses port based ssl and that ispconfig is not installed into a website like a webmail client like roundcube. ISPconfig runs on a dedicated port like 8080 and this port supports either ssl or plain http but not both. So you can only connect to ispconfig with ssl or without ssl, switching between ssl and non ssl with a rewrite rule or php code will not work as there is no option to switch to.

Switching to ssl can only work if you installed ispconfig on a dedicated IP address on port 443 and when port 80 on the same IP address is enabled as well. But that not the case in any default install as most poeple dont have any spare dedicated IPv4 adresses that they want to use for the controlpanel only without hosting any websites on it.

You are totally right. I did not thing about the 8080 port-config of the default install.
I use ISCP on a server on port 80+443 on an IPv4 but the IP is still usable for other domains via port 80. No problem there