ISPConfig Interface - Subdomain + SSL

Discussion in 'ISPConfig 3 Priority Support' started by arraken, Feb 7, 2014.

  1. arraken

    arraken Member HowtoForge Supporter

    Hi!

    I have a wildcard class 2 certificate from StartSSL for the Domain where I host my ISPConfig Interface. I managed to secure the Interface following this tutorial. http://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl

    So I can now access https://web1.mydomain.tld:8080 and get a nice green symbol in my browser bar. However, I want to be able to login with https://ispconfig.mydomain.tld.

    I already managed to do this without ssl on another server.

    I created a website ispconfig.mydomain.tld and put the following in the apache directives:
    Code:
    ProxyRequests Off
    
    <Proxy *>
      Order deny,allow
      Allow from all
    </Proxy>
    
    ProxyPass / http://ispconfig2.keplerlabs.at:8080/
    ProxyPassReverse / http://ispconfig2.keplerlabs.at:8080/

    With SSL I don't know how to do it however. I tried to just use "https" instead of "http" in the apache directive, but that didn't work.

    I also don't know what I have to put into the fields in the "SSL" tab. Do I just have to copy my class2-certificate.crt into the SSL Certificate field, or do I also need the Key and CSR files?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You will have to enable ssl in that website, then copy the ssl key, cert and bundle into the fields on the ssl tab of the website and select "save certificate" as action.
     
  3. arraken

    arraken Member HowtoForge Supporter

    Ok, I did that, but i get the following error in the browser, when i go to https://ispconfig.mydomain.tld

    "SSL Verbindungsfehler
    Es kann keine sichere Verbindung zum Server hergestellt werden. Möglicherweise liegt ein Problem mit dem Server vor oder es ist ein Client-Authentifizierungszertifikat erforderlich, das Sie nicht haben.
    Fehlercode: ERR_SSL_PROTOCOL_ERROR"

    I pasted this into the bundle field: https://www.startssl.com/certs/ca-bundle.pem

    In the key field, I tried both, the key with password, and the key without password, but both didnt work.

    also, in my ssl-folder on the server, "*.err" files are created. (e.g. ispconfig.mydomain.tld.crt.err...)
     
  4. arraken

    arraken Member HowtoForge Supporter

    Allright, I got it working. My mistake was, that i used the password protected private key, and not the one without a passphrase.

    I then got different errors with proxy_module and SSLProxyEngine, which was easy to solve after some logfile-checking.

    So, for my future self, and other ISP-Configurers who might be interested: Here's what I did to make the ISPConfig Interface available via subdomain, using SSL, e.g.: https://ispconfig.mydomain.tld.


    1. First, setup your SSL Certificate for the ISPConfig Interface like so: http://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl
    2. Install and activate apache proxy module. Make sure your proxy_module also loads proxy_http_module (discussed here: http://www.forums.serverwatch.com/showthread.php?16887-mod_proxy-problem. You can check with
      Code:
      apache2ctl -M | grep proxy
    3. Create a new website in ISPConfig (e.g. ispconfig.mydomain.tld)
    4. Enable SSL and paste your key (without passphrase), certificate and ca-bundle into the appropriate fields in the SSL-tab. Use "save certificate" as SSL-Action.
    5. Go to the "Options" tab and put the following in the "Apache Directives" field:
      Code:
      ProxyRequests Off
      SSLProxyEngine On
      
      <Proxy *>
        Order deny,allow
        Allow from all
      </Proxy>
      
      ProxyPass / https://ispconfig.mydomain.tld:8080/
      ProxyPassReverse / https://ispconfig.mydomain.tld:8080/
      
    6. If you also want to redirect all http traffic to https, add this to the Apache Directives field:
      Code:
      RewriteEngine on
      RewriteCond %{SERVER_PORT} !^443$
      RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] 
     
  5. arraken

    arraken Member HowtoForge Supporter

    Ok, after i successfully handled this in apache, I need to achieve the same configuration in nginx...

    So, to reiterate: I want to be able to access the ISPConfig admin panel via "https://ispconfig.mydomain.tld", but this time on an nginx installation. Above I summarized how to do this with apache, but I have been unable to reproduce this on the nginx server, because I don't know how to translate the apache directive into nginx directives.

    Any help would be very appreciated!
     
  6. arraken

    arraken Member HowtoForge Supporter

    Ok, I'm having a first success with this nginx directive:

    Code:
    location / {
      proxy_pass        http://ispconfig.mydomain.tld:8080/;
      proxy_set_header  X-Real-IP  $remote_addr;  
      # original host uses built-in $host variable, replace it with desired name
      # proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_set_header  Host       ispconfig.mydomain.tld/
    }
    
    
    however, when I go to ispconfig.mydomain.tld in my browser, the :8080 is still added to the url - it would be nicer if this could be removed shomehow. Any ideas?
     
  7. arraken

    arraken Member HowtoForge Supporter

    Ok, I did some additional configuration to make it work for my phpmyadmin and roundcube interfaces as well. Here's my configuration that let's my users connect to the following urls:

    ispconfig.example.tld
    ispconfig.example.tld/webmail
    ispconfig.example.tld/roundcube
    ispconfig.example.tld/phpmyadmin

    All this urls get rewritten to https://url:PortNr

    First, do points 1 and 3 from the apache "tutorial" I described above. (points 2 and 4 are not necessary with nginx)

    Put the following into the nginx-directives field under the options tab of your ispconfig.example.tld website:

    Code:
     location / {
              proxy_pass        http://ispconfig.example.tld:8080/;
              proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header  Host       ispconfig.example.tld;
            }
    
            location /roundcube {
                include proxy_params;
                proxy_pass http://ispconfig.example.tld:8081/roundcube;
            }
    
            location /phpmyadmin {
                include proxy_params;
                proxy_pass http://ispconfig.example.tld:8081/phpmyadmin;
            }
    
     location /webmail {
                        include proxy_params;
                        proxy_pass http://ispconfig.example.tld:8081/webmail;
            }
    

    I've also had to make some changes in the apps.vhost file (changes are in bold). Be aware that ispconfig will overwrite the apps.vhost file if you update ISPConfig for example. There are better ways to make changes here (include an extra vhost-file for example..) but I don't really need that, because I use puppet to manage this file.

    Code:
    server {
            listen 8081;
    
            server_name _;
    
            root   /var/www/apps;
    
            client_max_body_size 20M;
    
    
    
            [B] #ssl cert
             ssl on;
             ssl_certificate   /usr/local/ispconfig/interface/ssl/ispserver.pem;
             ssl_certificate_key   /usr/local/ispconfig/interface/ssl/ispserver.key;
    
             # redirect to https if accessed with http
                    error_page 497 https://$host:8081$request_uri;[/B]
    
            location / {
                   index index.php index.html;
            }
    
            # serve static files directly
            location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {
                   access_log        off;
            }
    
            location ~ \.php$ {
                   try_files $uri =404;
                   fastcgi_param   QUERY_STRING            $query_string;
                   fastcgi_param   REQUEST_METHOD          $request_method;
                   fastcgi_param   CONTENT_TYPE            $content_type;
                   fastcgi_param   CONTENT_LENGTH          $content_length;
    
                   fastcgi_param   SCRIPT_FILENAME         $request_filename;
                   fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
                   fastcgi_param   REQUEST_URI             $request_uri;
                   fastcgi_param   DOCUMENT_URI            $document_uri;
                   fastcgi_param   DOCUMENT_ROOT           $document_root;
                   fastcgi_param   SERVER_PROTOCOL         $server_protocol;
    
                   fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
                   fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
    
                   fastcgi_param   REMOTE_ADDR             $remote_addr;
                   fastcgi_param   REMOTE_PORT             $remote_port;
                   fastcgi_param   SERVER_ADDR             $server_addr;
                   fastcgi_param   SERVER_PORT             $server_port;
                   fastcgi_param   SERVER_NAME             $server_name;
    
                   fastcgi_param   HTTPS                   $https;
    
                   # PHP only, required if PHP was built with --enable-force-cgi-redirect
                   fastcgi_param   REDIRECT_STATUS         200;
                   fastcgi_pass unix:/var/lib/php5-fpm/apps.sock;
                   fastcgi_index index.php;
                   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                   #fastcgi_param PATH_INFO $fastcgi_script_name;
                   fastcgi_buffer_size 128k;
                   fastcgi_buffers 256 4k;
                   fastcgi_busy_buffers_size 256k;
                   fastcgi_temp_file_write_size 256k;
    
    
    
            }
    
            location ~ /\. {
                   deny  all;
            }
    
            location /phpmyadmin {
                   root /usr/share/;
                   index index.php index.html index.htm;
                   location ~ ^/phpmyadmin/(.+\.php)$ {
                           try_files $uri =404;
                           root /usr/share/;
                           fastcgi_param   QUERY_STRING            $query_string;
                           fastcgi_param   REQUEST_METHOD          $request_method;
                           fastcgi_param   CONTENT_TYPE            $content_type;
                           fastcgi_param   CONTENT_LENGTH          $content_length;
    
                           fastcgi_param   SCRIPT_FILENAME         $request_filename;
                           fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
                           fastcgi_param   REQUEST_URI             $request_uri;
                           fastcgi_param   DOCUMENT_URI            $document_uri;
                           fastcgi_param   DOCUMENT_ROOT           $document_root;
                           fastcgi_param   SERVER_PROTOCOL         $server_protocol;
    
                           fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
                           fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
    
                           fastcgi_param   REMOTE_ADDR             $remote_addr;
                           fastcgi_param   REMOTE_PORT             $remote_port;
                           fastcgi_param   SERVER_ADDR             $server_addr;
                           fastcgi_param   SERVER_PORT             $server_port;
                           fastcgi_param   SERVER_NAME             $server_name;
    
                           fastcgi_param   HTTPS                   $https;
    
                           # PHP only, required if PHP was built with --enable-force-cgi-redirect
                           fastcgi_param   REDIRECT_STATUS         200;
                           # To access phpMyAdmin, the default user (like www-data on Debian/Ubuntu) must be used
                           fastcgi_pass 127.0.0.1:9000;
                           #fastcgi_pass unix:/var/run/php5-fpm.sock;
                           fastcgi_index index.php;
                           fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                           fastcgi_buffer_size 128k;
                           fastcgi_buffers 256 4k;
                           fastcgi_busy_buffers_size 256k;
                           fastcgi_temp_file_write_size 256k;
                           fastcgi_read_timeout 240;
    
                   }
                   location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                           root /usr/share/;
                   }
            }
            location /phpMyAdmin {
                   rewrite ^/* /phpmyadmin last;
            }
    
            location /roundcube {
                   root /var/lib/;
                   index index.php index.html index.htm;
                   location ~ ^/roundcube/(.+\.php)$ {
                           try_files $uri =404;
                           root /usr/share/;
                           fastcgi_param   QUERY_STRING            $query_string;
                           fastcgi_param   REQUEST_METHOD          $request_method;
                           fastcgi_param   CONTENT_TYPE            $content_type;
                           fastcgi_param   CONTENT_LENGTH          $content_length;
    
                           fastcgi_param   SCRIPT_FILENAME         $request_filename;
                           fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
                           fastcgi_param   REQUEST_URI             $request_uri;
                           fastcgi_param   DOCUMENT_URI            $document_uri;
                           fastcgi_param   DOCUMENT_ROOT           $document_root;
                           fastcgi_param   SERVER_PROTOCOL         $server_protocol;
    
                           fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
                           fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
    
                           fastcgi_param   REMOTE_ADDR             $remote_addr;
                           fastcgi_param   REMOTE_PORT             $remote_port;
                           fastcgi_param   SERVER_ADDR             $server_addr;
                           fastcgi_param   SERVER_PORT             $server_port;
                           fastcgi_param   SERVER_NAME             $server_name;
    
                           fastcgi_param   HTTPS                   $https;
    
                           # PHP only, required if PHP was built with --enable-force-cgi-redirect
                           fastcgi_param   REDIRECT_STATUS         200;
                           # To access SquirrelMail, the default user (like www-data on Debian/Ubuntu) must be used
                           fastcgi_pass 127.0.0.1:9000;
                           #fastcgi_pass unix:/var/run/php5-fpm.sock;
                           fastcgi_index index.php;
                           fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                           fastcgi_buffer_size 128k;
                           fastcgi_buffers 256 4k;
                           fastcgi_busy_buffers_size 256k;
                           fastcgi_temp_file_write_size 256k;
                   }
                   location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                           root /var/lib/;
                   }
            }
            location /webmail {
                   rewrite ^/* /roundcube last;
            }
    
            location /cgi-bin/mailman {
                   root /usr/lib/;
                   fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
                   fastcgi_param   QUERY_STRING            $query_string;
                   fastcgi_param   REQUEST_METHOD          $request_method;
                   fastcgi_param   CONTENT_TYPE            $content_type;
                   fastcgi_param   CONTENT_LENGTH          $content_length;
    
                   fastcgi_param   SCRIPT_FILENAME         $request_filename;
                   fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
                   fastcgi_param   REQUEST_URI             $request_uri;
                   fastcgi_param   DOCUMENT_URI            $document_uri;
                   fastcgi_param   DOCUMENT_ROOT           $document_root;
                   fastcgi_param   SERVER_PROTOCOL         $server_protocol;
    
                   fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
                   fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
    
                   fastcgi_param   REMOTE_ADDR             $remote_addr;
                   fastcgi_param   REMOTE_PORT             $remote_port;
                   fastcgi_param   SERVER_ADDR             $server_addr;
                   fastcgi_param   SERVER_PORT             $server_port;
                   fastcgi_param   SERVER_NAME             $server_name;
    
                   fastcgi_param   HTTPS                   $https;
    
                   # PHP only, required if PHP was built with --enable-force-cgi-redirect
                   fastcgi_param   REDIRECT_STATUS         200;
                   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                   fastcgi_param PATH_INFO $fastcgi_path_info;
                   fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
                   fastcgi_intercept_errors on;
                   fastcgi_pass unix:/var/run/fcgiwrap.socket;
            }
    
            location /images/mailman {
                   alias /usr/share/images/mailman;
            }
    
            location /pipermail {
                   alias /var/lib/mailman/archives/public;
                   autoindex on;
            }
    If you want the links which lead to phpmyadmin and webmail in the ispconfig interface to work with ispconfig.example.tld, you need to make some changes in System->Main Config. My PhpMyAdmin URL goes like this for example: https://ispconfig.example.tld:8081/phpmyadmin

    I don't know if this is the ideal solution, or if there are some things you can do better / more easy, but so far it works for me. If anybody has any corrections or better solutions, please feel free to correct me. :)
     

Share This Page