howto manually create a ssl enabled vhost?

Discussion in 'Server Operation' started by Ovidiu, Aug 7, 2006.

  1. Ovidiu

    Ovidiu Active Member

    hello,

    I was using serveralias mail.* inside /etc/apache2/apache2 so that everybody trying to access my webmail with his domain aka mail.whateverdomain hosted on my server got to the webmail but now I would like to implement hhtps access for this purpose.

    can anyone give me a step4step description?
     
  2. Ovidiu

    Ovidiu Active Member

    I have been doing some reading and found some howtos.

    one states this:
    meaning that as commonname I have to enter the exact url as it will be entered later in the browser.

    what I wnt to do is use https for my manually made virtual host which uses serveralias mail.* if I set common name to mai.myprimarydomain.com I guess all other clients using mail.theirdomain.com will get an error?
     
  3. falko

    falko Super Moderator ISPConfig Developer

    Yes, that's true.
     
  4. themachine

    themachine ISPConfig Developer ISPConfig Developer

    If you have an SSL Certificate for 'mail.primarydomain.com' you can use if for all domains (i.e. mail.whateverdomain.com...) however you will receive a *warning* message. The certificate will work, the connection will be encrypted.... but the client will receive the warning "Hostname Mismatch".

    That said, the client could simply click "continue" to continue... but we all know that even though the customer is always right, they aren't always smart... meaning... half the people will think that the page doesn't work and will then send you emails everyday until you come up with another solution.

    Personally.... I would offer this solution:

    Create the virtual host for 'mail.*' with a redirect to 'mail.primarydomain.com'. Such as:

    Code:
    <VirtualHost 192.168.1.1:80>
         ServerName mail.*
         DocumentRoot /path/to/something
         RedirectPermanent / "https://mail.primarydomain.com"
    </VirtualHost>
    
    This way, you can tell your client to go to 'http://mail.theirdomain.com' and they will seamlessly be redirected to HTTPS on the primary domain (That has a valid certificate).

    If you find you have a few clients that don't like this.... you can offer to have their own 'mail.theirdomain.com' without the redirect.... however they will have to purchase their own certificate. You can mix 'mail.whoateverdomain.com' VirtualHosts.... and also the 'mail.*' VirtualHost.... however, the catchall 'mail.*' VirtualHost must be after all of the other 'mail.whateverdomain.com' VirtualHosts.... if that makes sense.
     
  5. Ovidiu

    Ovidiu Active Member

    thx for helping,

    I'll qutoe some of your answers with questions of mine:

    the same error my clients get when they use https://theirdomain:81 or https://theirdomain:81/phpmyadmin right? I got them used to this..... as the certificate was done for https://myprimarydomain:81

    that would not be a problem like I just explained.

    by seamless what do you mean? can I have the redirect working so that the url does not change? that would confuse a user more than a warning about a certificate (talking about my experience)

    I guess I also would need more IPs for this :-(

    can you give me some more instructions? I already found a howto create ssl certificates, but I still need some more info: could you maybe paste a https enable vhost entry here? can you give me a link to a working/good certificate authority that gives away free certificates and is "well-known"?
     
  6. falko

    falko Super Moderator ISPConfig Developer

    No, the URL will change.



    Here you go:

    Code:
    <IfModule mod_ssl.c>
    <VirtualHost 1.2.3.4:443>
    ServerName secure.example.com
    ServerAdmin [email protected]
    DocumentRoot /var/www/web2/web
    DirectoryIndex index.html index.htm index.php index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
    ScriptAlias  /cgi-bin/ /var/www/web2/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    ErrorLog /var/www/web2/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    php_admin_flag safe_mode On
    php_admin_value open_basedir /var/www/web2/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /var/www/web2/phptmp/
    php_admin_value session.save_path /var/www/web2/phptmp/
    AddType text/html .shtml
    AddHandler server-parsed .shtml
    SSLEngine on
    SSLCertificateFile /var/www/web2/ssl/secure.example.com.crt
    SSLCertificateKeyFile /var/www/web2/ssl/secure.example.com.key
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/web2/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web2/user/$1/web/$3
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    </VirtualHost>
    </IfModule>
    Also have a look here: http://httpd.apache.org/docs/2.0/ssl/

    There's no free CA that is recognized by almost all browsers... I buy my certificates at instantssl.com, they are not that expensive.
     
  7. Ovidiu

    Ovidiu Active Member

    and there is no way to enter mail.* as common name? would that give an error everytime I typed in mail.primarydomain.com, mail.secondarydomain.com etc. ?

    ###edit###

    still curious about that question, meanwhile some others:

    I went ahead and created and signed a test certificate, then I tried using a redirect from http to https like this:

    the vhost below I modified according to falko and inserted the paths to my certificate and key. then I thought about redirecting http to https and created the vhost above, which only contains the redirect and everything works I have not noticed any problems so far but it still looks strange to me. shouldn't it have a ServerAlias or ServerNAme so that it only redirect requests coming to mail.whatever:80 to maikl.whatever:443? I would expect my server to try and redirect any request to port 443 but it does not, all sites are stilll functional, can somebody explain this behavior?

    could I not modify the rewrite rule like this :

    so that only requests to mail.whatever get rewritten? what is the most elegant alternative?
     
    Last edited: Aug 21, 2006
  8. falko

    falko Super Moderator ISPConfig Developer

    No. :(

    Yes, you should have ServerName in the first vhost.

    Are these two vhosts you added the last ones in your Apache configuration? Then all other vhosts are still operational. If they were the first ones, for example, then all requests on 85.214.51.208 would go to them.
     
  9. Ovidiu

    Ovidiu Active Member

    well actually they are not the last ones, you can have a look at my apache2.conf here: http://www.howtoforge.com/forums/showthread.php?t=6338

    thats what I find kinda strange, after these 2 vhosts the virtualhosts of ispcfg get loaded ... I expecterd you to be right that no other vhost would work, but they still do...

    so you mean I need a servername in the first one? can I use the same servername and serveralias as the second vhost uses?
     
  10. falko

    falko Super Moderator ISPConfig Developer

    Well, you first have this section:

    Code:
    <Directory /var/www/sharedip>
        Options +Includes -Indexes
        AllowOverride None
        AllowOverride Indexes AuthConfig Limit FileInfo
        Order allow,deny
        Allow from all
        <Files ~ "^\.ht">
        Deny from all
        </Files>
    </Directory>
    
    ###############ispconfig_log###############
    LogFormat "%v||||%b||||%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig
    CustomLog "|/root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_%d" combined_ispconfig
    
    <Directory /var/www/*/web>
        Options +Includes -Indexes
        AllowOverride None
        AllowOverride Indexes AuthConfig Limit FileInfo
        Order allow,deny
        Allow from all
        <Files ~ "^\.ht">
        Deny from all
        </Files>
    </Directory>
    
    <Directory /var/www/*/user/*/web>
        Options +Includes -Indexes
        AllowOverride None
        AllowOverride Indexes AuthConfig Limit FileInfo
        Order allow,deny
        Allow from all
        <Files ~ "^\.ht">
        Deny from all
        </Files>
    </Directory>
    
    <Directory /var/www/*/cgi-bin>
        Options ExecCGI -Indexes
        AllowOverride None
        AllowOverride Indexes AuthConfig Limit FileInfo
        Order allow,deny
        Allow from all
        <Files ~ "^\.ht">
        Deny from all
        </Files>
    </Directory>
    then your vhosts, and then the first section again which means the vhosts from the first section are loaded before your vhosts (and afterwards they are loaded again...).
     
  11. Ovidiu

    Ovidiu Active Member

    ok, so here is my new order:
    <Directory /var/www/sharedip>...
    <Directory /var/www/*/web>...
    <Directory /var/www/*/user/*/web>...
    <Directory /var/www/*/cgi-bin>...

    then my 2 vhosts mail.* and the redirect to https

    then as a last point the vhost file of ispcfg gets included.

    is this order right?

    can I do it like this?
     
  12. falko

    falko Super Moderator ISPConfig Developer

    I'd put your vhosts right at the end, because otherwise you'll get problems with ISPConfig updates (because the installer is looking exactly for the configuration that was added when ISPConfig was installed the first time).



    I think so.
     

Share This Page