Apache + Squirrelmail + SSL Configuration

gentooey · n00b Joined: 02 Jul 2003 Posts: 3

I've just installed squirrelmail per the Desktop Configuration Guide, and everything works as it should. I can type both http://myserver.com or https://myserver.com to access my website. I'm trying to figure out how to configure my webserver so that some pages only load the https:// page while others load the default http://. For example, when a remote user types "myserver.com," the browser will load the standard http://myserver.com page. However, when a remote user types "myserver.com/webmail," I'd like it to automatically load https://www.myserver.com/webmail. I'd rather not have the user HAVE to remember to type the full path (https://..) in order to load the secure page.

I've figured out how to make the http://myserver.com/webmail disabled, so that the user gets a Forbidden error, but I'd like the server to automatically load the https:// page instead. Anyone have any ideas on what config files I need to change to get this to work? Thanks.

James

shaung · n00b Joined: 25 May 2003 Posts: 44

Just an idea . . .

Have you tried URL redirection (see the apache html man pages that came with your apache install).

see http://httpd.apache.org/docs/urlmapping.html#redirect

gentooey · n00b Joined: 02 Jul 2003 Posts: 3

That sounded like a good solution, but commonapache.conf doesn't seem to like it. When I throw this line in there in there and try loading the page it just sits there confused, trying to load the page, but never doing it.

nitro322 · Guru Joined: 24 Jul 2002 Posts: 596 Location: USA

try putting this in an .htaccess file in your /webmail/ directory (for some reason it won't work directly in httpd.conf):

dmolavi · Posted: Tue Jul 15, 2003 6:27 pm Post subject:

dude, thanks

this fixed it for me
just to double check (it's been a long day)..what permissions should be on the .htaccess file, and who should own it?

puke · Tux's lil' helper Joined: 05 Oct 2002 Posts: 128

Make sure the .htaccess file is read-only from the userid that your apache uses.

Also make sure that apache does not serve up your .ht* files when requested to do so.

http://httpd.apache.org/docs-2.0/misc/security_tips.html

Dr_Stein · Posted: Wed Apr 21, 2004 11:42 pm Post subject:

Didn't work for me. =/

I tried the .htaccess and I ended up getting 404s. I wish that Squirrelmail had a flag to use only SSL and not try to hit http:// pages.

Chris W · Posted: Thu Apr 22, 2004 6:14 am Post subject:

There's a plugin for Squirrelmail that redirects to a secure port for the authentication screen and then returns the user to the insecure page they requested (unless they started on HTTPS in which it stays secure). This covers the passwords but does not burden the server encrypting the bulk traffic.

The redirection above:

Dr_Stein · Posted: Thu Apr 22, 2004 7:28 pm Post subject: So how do we make it all SSL? :)

I had a user complain because even though the login was handled by https, the rest of the session was http.
Squirrelmail, Courier-IMAP, and Postfix are all running on the same machine. The machine is behind a firewall. Nobody has access to it but myself and one other person. It's in a locked room.

Sometimes users are just a bit too paranoid.

I know that there's an extra load on the machine if everything is SSL, but it's a dual Pentium III/1.4ghz with 3gb RAM and 4 x 140gb Ultra 320 drives in a RAID 5 with 1 hot spare. The company only has 28 employees. Not all of them are going to be hitting the machine with SquirrelMail at the same time. I should hope that the hardware is sufficient.

I read that you can hack the login.php in SM to make everything SSL, but I know very little PHP and it looked like a daunting task..

Should I make an IP based Vhost? SquirrelMail will be the *only* web thing on the box requiring any SSL at all.

Thanks for any help!