howto implement ssl

Discussion in 'Tips/Tricks/Mods' started by menahem, Feb 22, 2011.

  1. menahem

    menahem Member

  2. falko

    falko Super Moderator ISPConfig Developer

    I haven't tried this. I guess you will have to change your vhost configurations manually (maybe it can also be done using ISPConfig's Apache Directives field).
     
  3. menahem

    menahem Member

    falko,

    It is working but i need your eyes over it to help me do it on another server.
    What i did is:
    preliminary notes:

    A. I used ispconfig manual in order to have SSL configured.
    B. The server i used has 1 IP address with numerous virtual hosts on it. That meas that (With accordance to the ispconfig manual) only one Vhost can have the SSL certificate.

    The Howto:
    I set to one of the Vhosts it own SSL certificate.
    then:
    Code:
    vi /etc/apache2/sites-available/default-ssl
    And chanced it from:
    Code:
    <IfModule mod_ssl.c>
    <VirtualHost _default_:443>
    	ServerAdmin webmaster@localhost
    	
    	DocumentRoot /var/www/
    	<Directory />
    		Options FollowSymLinks
    		AllowOverride None
    	</Directory>
    	<Directory /var/www/>
    		Options Indexes FollowSymLinks MultiViews
    		AllowOverride None
    		Order allow,deny
    		allow from all
    	</Directory>
    
    to:
    Code:
    <IfModule mod_ssl.c>
    <VirtualHost _default_:443>
    	ServerAdmin webmaster@localhost
    	
    	DocumentRoot /var/www/example.com/web
    	<Directory />
    		Options FollowSymLinks
    		AllowOverride None
    	</Directory>
    	<Directory /var/www/example.com/web>
    		Options Indexes FollowSymLinks MultiViews
    		AllowOverride None
    		Order allow,deny
    		allow from all
    	</Directory>
    
    And then restarted apache with:
    Code:
    /etc/init.d/apache2 restart
    I ended with the following:
    When ever i do https://example.com, i get an answer feom the server and everything looks o.k. - But: when ever i do https://hostname.com i am redirected by the server to example.com or ,if you like, to /var/www/example.com/web.
    As far as i can see with this server configuration only one Vhost can have SSL access because there is only 1 SSL certificate to it IP address.
    That is fine.

    Now i need your help/opinion regarding another server who have 4 ip address and many Vhosts on any IP address. This server is a production server and i do not and can not play with it.

    I think that it can be done by adding multiple data to default-ssl it might look like this (but i am not shure about that):
    Code:
    <VirtualHost _default_:443>
    	ServerAdmin webmaster@localhost
    	
    	DocumentRoot /var/www/example.com/web
    	<Directory />
    		Options FollowSymLinks
    		AllowOverride None
    	</Directory>
    	<Directory /var/www/example.com/web>
    		Options Indexes FollowSymLinks MultiViews
    		AllowOverride None
    		Order allow,deny
    		allow from all
    	</Directory>
    <VirtualHost _default_:443>
    	ServerAdmin webmaster@localhost
    	
    	DocumentRoot /var/www/domain.com/web
    	<Directory />
    		Options FollowSymLinks
    		AllowOverride None
    	</Directory>
    	<Directory /var/www/domain.com/web>
    		Options Indexes FollowSymLinks MultiViews
    		AllowOverride None
    		Order allow,deny
    		allow from all
    	</Directory>
    <VirtualHost _default_:443>
    	ServerAdmin webmaster@localhost
    	
    	DocumentRoot /var/www/domain2.com/web
    	<Directory />
    		Options FollowSymLinks
    		AllowOverride None
    	</Directory>
    	<Directory /var/www/domain2.com/web>
    		Options Indexes FollowSymLinks MultiViews
    		AllowOverride None
    		Order allow,deny
    		allow from all
    	</Directory>
    
    Thank`s for your help. Please advice.
    Menahem
     
  4. i-chat

    i-chat New Member

    would it be posible to include a patch that we can apply to the code (or a module of some kind) to be able to do this standaard for all users.

    an alternative option - but im not sure if that could even work, would be to allow both methods,

    sinse we already have 1ip we might want to enable default ssl for the ISPConfig pannel so that we're sure that that's always safe (including older browsers),

    > we could enable it on a non default port as webmin or plesk has it.
    so you would do server1.mywebhostingcompany.com:12322/ to get to your ssl protected management panel, and we could than still use sni on port 433 (with a warning (or a gracefull degradation), to users who want there websites protected.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats what ISPConfig is doing already, you can enable ssl when you run a ispconfig update on your system in the ispconfig installer. You dont need the approach described above for that, as you can rin as many ssl certs as you like with openssl when they use different ports. The above approach is only about using multi ssl certs on the same port and same IP.
     
  6. i-chat

    i-chat New Member

    sorry if i wasn't being clear enought, what i meen is, 1cert to rule them all (no really, just for the admin interface), and SNI for the rest of it.

    i would like to have none-sni supporting browers still at least to be able to use the admin interface, while users who dont care so mutch about backwardcompatiblillity can have ssl based websites also (for say joomla's admin interface or stuf like OScommerce.

    this however would require some php code (i think) that could manage SNI, and its certs,

    i think that ano 2011 not supporting sni is like building a website in ms word '98 it mostly works but its not what you'd expect.

    on a client side i would probly write some jscript or php+jscript warning msg that detects ms win xp, and recomends updating to at least firefox 3.6 or upgrading their os to supporting versions.
     

Share This Page