3 Question SSL cert, https redirect, WebFtp,

Discussion in 'Installation/Configuration' started by serkejal, Apr 17, 2011.

  1. serkejal

    serkejal New Member

    4 Questions SSL cert, https redirect, WebFtp,Bind

    Hi, i have 4 questions about configuration of secure access,web ftp and bind views

    1) i've created a SSL cert and redirected the http address for roundcube and phpmyadmin on https and everything is all right. But when a user visits a site created with Ispconfig to acces to the webmail (e.g. http://www.example.com/webmail) the browser will redirect to https correctly but alert the user that the CN of cert doesn't match the site this is because the CN is the main site or the common name of the server. what can i do?would be possibile to redirect all site/webmail to mainsite/webmail to avoid the alert that CN doesn't match?
    1a) when i set ssl for a domain , it can be accessed either via http and https , How can i restric to only https?

    2) when a user visits the panel ISPConfig via the http is shown a page that warns you to use https ... is possible redirect to https automatically?

    3) Can u tell me a good webFTP client compatible with ispconfig?

    4) Can i configure Bind for internal and external "view" through Ispconfig?

    to create a cert and to redirect traffic i used this post and this tutorial
     
    Last edited: Apr 17, 2011
  2. ncoc.nl

    ncoc.nl New Member

    The redirection from http to https can be done in different ways, the first option(s) I think about:

    Create a subdomain redirecting to your https site.
    Put a php or html page redirecting to your https sit, e.g.:

    PHP:
    <?php 
    Header
    ("Location: https://yourmainsite/webmail");
    ?>
    regards,
    Ronald
     
  3. serkejal

    serkejal New Member

    i use to redirect to https the mod_rewrite and mod_ssl in apache configuration file of roundcube and phpmyadmin..the problem is that i want redirect all domain.com/webmail to maindomain.com/webmail (or deactive the access from domain.com/webmail) to pass the ssl check on Common Name..
    your solution is good for a subdomain like webmail.domain.com...and the use of a redirect in php or html don't redirect all http query to https but only a particular query..
     
  4. ncoc.nl

    ncoc.nl New Member

    Hi,

    Another possibilty is an .htaccess file:

    Redirect 301 /webmail https://your mainsite/webmail

    Not that nice but it's working
     
  5. serkejal

    serkejal New Member

    I found another way... from this tutorial i have changed this part
    Code:
    <IfModule mod_rewrite.c>
      <IfModule mod_ssl.c>
        <Location /webmail>
          RewriteEngine on
          RewriteCond %{HTTPS} !^on$ [NC]
          RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI}  [L]
        </Location>
      </IfModule>
    </IfModule>
    
    to this.
    Code:
    <IfModule mod_rewrite.c>
      <IfModule mod_ssl.c>
        <Location /webmail>
          RewriteEngine on
          RewriteCond %{HTTPS} !^on$ [NC,OR]
          RewriteCond %{HTTP_HOST} !^my\.main\.domain:50443 [NC]
          RewriteRule  . https://my.main.domain:50443%{REQUEST_URI} [R,L]
        </Location>
      </IfModule>
    </IfModule>
    
    so all domains/webmail is redirected to maindomain/webmail ..
    now all the http requests are redirected properly, without certification problems.
    otherwise https requests made ​​directly to domain/webmail before being redirected verify the certificate..and give the above error ...I do not think there is a solution ...
    Is it ,in these cases, useful to have a wildcard certificate?
    can I disable access to ISPConfig RoundCube, phpmyadmin on other domain to force everyone to pass from the primary domain?

    and then are also other questions ;)
     
  6. ncoc.nl

    ncoc.nl New Member

    There could be a problem with your solution: firewall issues
    What if the choosen port (50443) is blocked?

    About your other questions:

    I don't use webftp so in this case I do not have an answer.
    About your bind question, what do you mean by "Can i configure Bind for internal and external "view" through Ispconfig?"

    Possibly the answer is as followed, for ip4 you can add the line:

    listen-on { any; };

    in /etc/bind/named.conf.options.

    This will force bind to listen on all ip addresses (including localhost)

    Regards,
    Ronald
     
  7. serkejal

    serkejal New Member

    i open the port on my router and firewall (also software) and i don't have any problem with incoming connection, i think that nobody block outcoming traffic on a port....

    for bind i mean a configuration like this
    Code:
    Example named.conf
    
    // This is the primary configuration file for the BIND DNS server named.
    // This is for example only
    
    acl "dns_slaves" {
    	172.16.1.2;				# IP of the slave DNS nameserver
    	172.16.101.2				# ditto
    };
    
    acl "lan_hosts" {
    	192.168.0.0/24;				# network address of your local LAN
    	127.0.0.1;				# allow loop back
    };
    
    options {					# this section sets the default options
    	directory "/etc/namedb"			# directory where the zone files will reside
    	listen-on {
    		192.168.0.1;			# IP address of the local interface to listen
    		127.0.0.1;			# ditto
    	};
    	auth-nxdomain no;			# conform to RFC1035
    	allow-query { any; };			# allow anyone to issue queries
    	recursion no;				# disallow recursive queries unless over-ridden below
    	version "0";				# obscures version reporting - can't hurt
    };
    
    key "rndc-key" {
            algorithm hmac-md5;
            secret "nOzUd7+Hwdq6k6CQq7SbDw==";	# DO NOT USE THIS KEY - example only
    };
    
    controls {
            inet 127.0.0.1 allow { localhost; }
            keys { rndc-key; };
    };
    
    view "internal" {
            match-clients { lan_hosts; };		# match hosts in acl "lan_hosts" above
            recursion yes;				# allow recursive queries
            notify no;				# disable AA notifies
    
            // prime the server with knowledge of the root servers
            zone "." {
                    type hint;
                    file "db.root";
            };
            // be authoritative for the localhost forward and reverse zones, and for
            // broadcast zones as per RFC 1912
            zone "localhost" {
                    type master;
                    file "db.local";
            };
            zone "127.in-addr.arpa" {
                    type master;
                    file "db.127";
            };
            zone "0.in-addr.arpa" {
                    type master;
                    file "db.0";
            };
            zone "255.in-addr.arpa" {
                    type master;
                    file "db.255";
            };
            zone "example.com" {
                    type master;
                    file "internal/example.com.zone";
            };
    };
    
    view "external" {
    
    	// "localnets" and "any" are special reserved words
    	// "localnets" mean any network address (as opposed to host address) configured
    	// on the local network interfaces - "!" means to negate
            match-clients { !localnets; any; };
            recursion no;			# disallow recursive queries
            allow-transfer { dns_slaves; };	# allow "hosts in act "dns_slaves" to transfer zones
    
            zone "example.com" {
                    type master;
                    file "external/example.com.zone";
            };
    };
     
  8. ncoc.nl

    ncoc.nl New Member

    The firewall thing wasn't meant for your firewall, the first thing is opening this port for accessing your site. What I mean is that when harding outbound traffic (as I do for companies) is only allow regular ports like http and https
    to access the outside world, 50443 is not in this list.

    What is the goal of your DNS config, I notice several subnets, can you provide some more info?
     
  9. serkejal

    serkejal New Member

    thanks for answers ..
    I used that door just because it is not a conventional door (actually that is the door recommended by the tutorial, I've put another;) ), so it is more difficult to get the ISPConfig login page for an attacker , and a sniff show the door open without being able to say that service is (in theory).
    certain that in the case of a corporate network that passes through proxies and firewalls are also filter outgoing ports could be a problem, but in any case I think that should be studied for the special case ...
    for now my configuration is only meant to know the dynamics of a LAMP server and do a bit of practice, my server runs on a virtual machine on a desktop host...
    About bind I posted an example found on internet, i see that a single Dns Server can act for both internal and external network, when specially configured ... I'm want to change the host file of the various PCs on the network :D for now I did for only one on which i work ....
     

Share This Page