| View previous topic :: View next topic |
| Author |
Message |
Kattsand
n00b
Joined: 26 May 2008
Posts: 43
Location: Sweden
|
 Posted: Tue Dec 02, 2008 6:16 pm Post subject: Apache: mixed SSL/"unsecure" vhosts. [Solved] |
 |
|
My problem: got a domain with subdomains I want to use for different virtual hosts, webmail.domain.net with SSL/port 443 _only_ and www.domain.net port 80 etc.
Got it to work nicely but I can access www.domain.net with HTTPS and webmail virtualhost with port 80 which is definitely not what I wanted.
Also, apache shows www.domain.net/index.html when users tries http://webmail.domain.net which is not desireable.
Config files might be messy because I´ve tried alot of stuff but nothing obviously solved it so here it goes:
Apache version: apache-2.2.9-r1
/etc/apache2/vhosts.d/00_default_vhost.conf:
| Code: |
<IfDefine DEFAULT_VHOST
Listen 80
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.domain.net
Include /etc/apache2/vhosts.d/default_vhost.include
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
<Directory /var/www/domain.net/htdocs>
DirectoryIndex index.html index.htm index.asp
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>
</IfDefine>
|
/etc/apache2/vhosts.d/00_default_ssl_vhost.conf:
| Code: |
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443
<VirtualHost *:443>
ServerName webmail.domain.net
Include /etc/apache2/vhosts.d/default_vhost.include
ErrorLog /var/log/apache2/ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/ssl_access_log
</IfModule>
DocumentRoot "/var/www/domain.net/webmail"
<Directory /var/www/domain.net/webmail/>
Options -Indexes
Order Allow,Deny
Allow from All
DirectoryIndex index.html
</Directory>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule log_config_module>
CustomLog /var/log/apache2/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
|
default_vhost.include:
| Code: |
ServerAdmin root@localhost
DocumentRoot "/var/www/domain.net/htdocs"
# This should be changed to whatever you set DocumentRoot to.
<Directory "/var/www/domain.net/htdocs">
Options -Indexes FollowSymLinks
AllowOverride All
Deny from All
</Directory>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/domain.net/cgi-bin/"
</IfModule>
<Directory "/var/www/domain.net/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
|
To clarify it so no one can missunderstand what I want:
webmail.domain.net should only be available with SSL, an error generated when accessing throu port 80.
www.domain.net should not use SSL, error generated when accessing with SSL/port 443
DNS is setup properly and ip is pointing to webmail.domain.net.
Read Apache documentation but obviously it didnt clarify what steps I need to do, done alot of testing to find solution...
Thanks in advance.
Last edited by Kattsand on Tue Dec 02, 2008 9:55 pm; edited 1 time in total |
|
| Back to top |
|
 |
richard.scott
Veteran
Joined: 19 May 2003
Posts: 1497
Location: Oxfordshire, UK
|
| Posted: Tue Dec 02, 2008 7:09 pm Post subject: |
|
|
| I'd try removing the Include line from your webmail config. |
|
| Back to top |
|
|
scherz0
Apprentice
Joined: 02 Oct 2008
Posts: 154
|
| Posted: Tue Dec 02, 2008 9:35 pm Post subject: Re: Apache: mixed SSL/"unsecure" vhosts. |
|
|
| Kattsand wrote: | My problem: got a domain with subdomains I want to use for different virtual hosts, webmail.domain.net with SSL/port 443 _only_ and www.domain.net port 80 etc.
Got it to work nicely but I can access www.domain.net with HTTPS and webmail virtualhost with port 80 which is definitely not what I wanted.
Also, apache shows www.domain.net/index.html when users tries http://webmail.domain.net which is not desireable.
|
Each of your virtual hosts is the only vhosts for its port, thus the default vhost. They catch any request, ignoring the host name. You can do one of the following :
- using mod_rewrite : in each vhost, check the request host name and reply an error when not the expected one. Or
- define a default vhost for each port, with DocumentRoot pointing to some error page. The definition of each default vhost must be placed before the definition of effective vhost, since apache considers the default vhost to be the first found in the config file. |
|
| Back to top |
|
|
Kattsand
n00b
Joined: 26 May 2008
Posts: 43
Location: Sweden
|
| Posted: Tue Dec 02, 2008 9:54 pm Post subject: |
|
|
Thanks for the replies.
Solved this in a not so perfect way but it works at least.
Redirect solved it and it will do for me because I only want to use SSL for the webmail and nothing else. 
If there is a cleaner way then feel free to explain. |
|
| Back to top |
|
|
richard.scott
Veteran
Joined: 19 May 2003
Posts: 1497
Location: Oxfordshire, UK
|
| Posted: Wed Dec 03, 2008 10:11 am Post subject: |
|
|
| Kattsand wrote: | Thanks for the replies.
Solved this in a not so perfect way but it works at least.
Redirect solved it and it will do for me because I only want to use SSL for the webmail and nothing else.
If there is a cleaner way then feel free to explain. |
Thinking about my previous reply SSL needs to be on its own IP an you should have this IP listed in this section:
| Code: | | <VirtualHost *:443> |
In my experience I've needed an IP in there rather than the star to listen on all interfaces.
I have this as my config:
| Code: | <VirtualHost *:80>
ServerName webmail.mydomain.com
RedirectMatch /(.*) https://webmail.mydomain.com/
</VirtualHost>
<VirtualHost x.x.x.x:443>
DocumentRoot /var/www/localhost/htdocs/squirrelmail/
ServerName webmail.mydomain.com
DirectoryIndex index.php index.html
CustomLog /var/log/apache2/ssl_webmail.mydomain.com_access.log combined
ErrorLog /var/log/apache2/ssl_webmail.mydomain.com_error.log
<Directory "/var/www/localhost/htdocs/squirrelmail/">
php_value session.cache_expire 3600
AllowOverride AuthConfig Indexes Options
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/webmail.mydomain.com.cert
SSLCertificateKeyFile /etc/apache2/ssl/webmail.mydomain.com.key
</VirtualHost> |
Obviously replace the x.x.x.x part with your IP you want webmail on
HTH
Rich. |
|
| Back to top |
|
|
|
Networking & Security
