Secure a website with client-side ssl certification

Discussion in 'Installation/Configuration' started by nox171, Jul 13, 2007.

  1. falko

    falko Super Moderator ISPConfig Developer

    Please check if /etc/apache2/vhosts/Vhosts_ispconfig.conf is included in your main Apache configuration.
     
  2. nox171

    nox171 New Member

    Yes it is included.

    I think that the same site for the port number 80 uses the ISPConfig options but for the port 443 apache just looks inside /etc/apache2/vhosts.d/*.conf

    What do you think?
     
    Last edited: Aug 2, 2007
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    If you ahve any sites for port 443 in /etc/apache2/vhosts.d/*.conf, remove them and then restart apache.
     
  4. nox171

    nox171 New Member

    :confused:

    Why?

    I need my /etc/apache2/vhosts.d/myhost.conf to makes the SSL connection work.

    When I said that Apache wasn't looking to /etc/apache2/vhosts/Vhosts_ispconfig.conf I was wrong.
    It looks inside it and also inside my /etc/apache2/vhosts.d/myhost.conf where I define all the parameters to makes SSL work correctly.

    Also I've noticed that if you change any options on the ISPConfig panel /etc/apache2/vhosts/Vhosts_ispconfig.conf is rewritten.

    Then I think that the best solution is to define all the option on my /etc/apache2/vhosts.d/myhost.conf including the Apache directives copying them from Vhosts_ispconfig.conf file.

    But, and there is a but... how can I autoredirect all the connections to my website from http to https?

    Where can I place the redirect? If I place it inside Vhosts_ispconfig.conf everytime I will make a change I will lose it.

    Do you think I should place it in httpd.conf or in /etc/apache2/vhosts.d/myhost.conf?
     
    Last edited: Aug 3, 2007
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Either remove /etc/apache2/vhosts.d/myhost.conf or uninstall ISPConfig. You can not have both. ISPConfig writes it's own ssl vhost in the file /etc/apache2/vhosts/Vhosts_ispconfig.conf.
     
  6. nox171

    nox171 New Member

    Are you sure?

    I agree that I can't manually edit eh Vhosts_ispconfig.conf file because of ISPConfig that rewrites it.
    But Apache is reading with no problem the myhost.conf file.
    I assume that because the SSL connection with client-side authentication works when the file is in position.
     
  7. nox171

    nox171 New Member

    Hi all,

    As I probably already said, I'm trying to make a redirect to https from http.

    this is what I've updated in my myhost.conf:

    Code:
    [COLOR="Orange"]<Directory /var/www/web1/web/>[/COLOR]
    RewriteEngine On
    Options +FollowSymLinks
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://test.myhost.co.uk/$1 [R,L]
    </Directory>
    
    It works OK. (I'm not definitively sure about line in orange, could it be ok?)

    To make further tests I've also created another vhost: www.bibuba.com :p

    Now when I require https://www.bibuba.com I receive a client certificate request from the other vhost (test.myhost.com).

    Do you know how can I solve this?
    I mean, can I restrict the redirection to https just if a particular URL has been requested?
    I think I could setup something inside the rewrite section but I don't really have a clue.

    Can anyone help me?
    Thanks!!
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Are both hosts on the same IP address? Each SSL vhost must have a seperate IP address.
     
  9. nox171

    nox171 New Member

    Sorry I didn't explain very well what I did.

    I've just created a new website using ISPConfig in the same machine.

    The IP address is the same.
    I know that SSL can exists only on one IP address and that for me is ok because I need just one site to be accessible via https.

    I was wondering if it's possible to avoid that other clients can access my https website (in this case test.myhost.co.uk) just changing the address for their website from http to https.

    For example if they have a website like:

    http://www.clientwebsite.com
    and they change the address to
    https://www.clientwebsite.com

    the client certificate request come up from the other website.
    The url remains still the same, it doens't change to https://test.myhost.com

    This is why I was looking for a sort of filter to look to the url and provide the certificate just when the relative url has been requested.
     
  10. nox171

    nox171 New Member

    Do you have any idea?
     
  11. falko

    falko Super Moderator ISPConfig Developer

    Unfortunately not... :(
     

Share This Page