Secure My Apache Config

Discussion in 'Server Operation' started by carlosinfl, Dec 17, 2009.

  1. carlosinfl

    carlosinfl New Member

    I have a mail server running Postfix & Apache for web mail application. I followed this guide which walks you through creating 'self signed SSL certificates for Postfix and Dovecot. The SSL certs are working fine since I tested them with TLS / SASL via email however my question is can I also use the same generated SSL certificates to make my webmail session via Apache secure?

    My DocumentRoot is configued to take you to *mydomain.us* and then there is a link for *mydomain.us/webmail* and the webmail sub directory is what I would like to be running on port 443.

    Anyone know if this is possible with out some crazy configuration modifications? I would think I simply need to add a 'virtual host' entry in /etc/httpd/conf/httpd.conf file pointing to the location of my SSL certificates on the server.
     
  2. Mark_NL

    Mark_NL New Member

    You are correct sir :)

    You need to create a new VirtualHost on port 443 and define ssl options inside that virtualhost scope

    f.e.

    Code:
    <VirtualHost 1.2.3.4:443>
     VirtualDocumentRoot /path/to/your/webmail
     ServerName		webmail.yourdomain.tld
    
     SSLEngine On
     SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
     SSLCertificateKeyFile /path/to/your/ssl/cert/server.key
     SSLCertificateFile /path/to/your/ssl/cert/server.cert
    </VirtualHost>
    
    Your webmail will now be available through: https://webmail.yourdomain.tld
     
  3. carlosinfl

    carlosinfl New Member

    Oh so now with this entry I can access my webmail server with an alias? Even if my server hostname is not 'webmail', I should still be able to do some kind of redirect from https://www.yourdomain.tld >> https://webmail.yourdomain.tld?
     
  4. carlosinfl

    carlosinfl New Member

    Oh so now with this entry I can access my webmail server with an alias? Even if my server hostname is not 'webmail', I should still be able to do some kind of redirect from https://www.yourdomain.tld >> https://webmail.yourdomain.tld?

    Right now w/o the SSL or Virtual Host config, I access my webmail via http as www.mydomain.tld/webmail.
     
  5. Mark_NL

    Mark_NL New Member

    So currently you have:
    http://www.mydomain.tld/webmail

    and you want to reach webmail via
    https://www.mydomain.tld/webmail
    as well?

    Since webmail is an alias (points to a Directory directive), you would need to config a global SSL setting so you can reach ALL website with or w/o SSL ..

    if you run one domain on it and want normal/ssl connections to the website and the webmail alias, just copy and paste your existing VirtualHost, change the port to 443 and add the SSL options, save, restart, done. :)
     
  6. carlosinfl

    carlosinfl New Member

    Thanks all for the awesome help. I will do this today and post back if something doesn't work.

    -Carlos
     
  7. carlosinfl

    carlosinfl New Member

    There is no "Virtual Host" entry in my 'httpd.conf' file but I did find on my Linux distribution (Arch Linux) a /etc/httpd/conf/extra/httpd-ssl.conf. In that file I have the following:

    Code:
    Listen 443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    SSLPassPhraseDialog  builtin
    SSLSessionCache        "shmcb:/var/run/httpd/ssl_scache(512000)"
    SSLSessionCacheTimeout  300
    SSLMutex  "file:/var/run/httpd/ssl_mutex"
    
    <VirtualHost _default_:443>
    
    DocumentRoot "/srv/http/webmail"
    ServerName www.mydomain.tld:443
    ServerAdmin admin@mydoma.tld
    ErrorLog "/var/log/httpd/error_log"
    TransferLog "/var/log/httpd/access_log"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile "/path/to/server.crt"
    SSLCertificateKeyFile "/path/to/server.key"
    
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/srv/http/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    
    BrowserMatch ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    
    CustomLog "/var/log/httpd/ssl_request_log" \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    </VirtualHost>
    
    Do I need to copy the uncommented entries I posted above from the httpd-ssl.conf file to the bottom of my httpd.conf file?
     

Share This Page