ISPConfig3 How to have multiple manually created port based SSL client sites hosts

Discussion in 'Installation/Configuration' started by zapyahoo, Jan 3, 2013.

  1. zapyahoo

    zapyahoo Member

    This Is just a small how to have multiple SSL client sites hosts. This setup is port based, because apache2 only allows 1 SSL in port 443. This means each client SSL website will have a port that responds to https requests.

    Having more than one SSL responding on port 443, also relatively easy to accomplish but implies having several eth cards or eth0 virtual clones (with individual LAN ip's) eth0 = lan ip1, eth0:1 =lan ip2, eth0:2 = lan ip3, etc. and several external WAN ip's pointing to each individual LAN Ip clone on port 443. But again not covered here.

    Initial recommendations:
    1. Don't use ISPConfig3 SSL features to create the SSL virtual host. It overrides the ports. Just create the normal http site, leave SSL off.
    2. In this setup I will use example.org as domain and port 444 for the SSL.
    3. Remember to open / NAT your firewall / router port 444 and point it at your webserver LAN IP.
    4. This will cover 1 host setup, if you have many websites like I do just repeat the instructions for each website domain and assign a different port to each one.

    Lets Start:
    1. in /etc/apache2sites-available/ create a new vhost file and name it example.org.https.vhost
    Code:
    cd /etc/apache2sites-available/
sudo nano example.org.https.vhost
    copy the below text into the file
    replace all instances of example.org and insert your domain name
    replace all instance of /var/www/clients/client1/web8 and insert the path to your ispconfig3 website root location
    PHP:
    <Directory /var/www/example.org>
            AllowOverride None
        Order Deny    ,Allow
        Deny from all
    </Directory>

    <    VirtualHost example.org:444>
              DocumentRoot /var/www/example.org/web
      
        ServerName example    .org
        ServerAlias www    .example.org
        ServerAdmin webmaster    @example.org

        ErrorLog     /var/log/ispconfig/httpd/example.org/error.log

        Alias     /error"/var/www/example.org/web/error/"
            ErrorDocument 400 /error/400.html
        ErrorDocument 401     /error/401.html
        ErrorDocument 403     /error/403.html
        ErrorDocument 404     /error/404.html
        ErrorDocument 405     /error/405.html
        ErrorDocument 500     /error/500.html
        ErrorDocument 502     /error/502.html
        ErrorDocument 503     /error/503.html

            <IfModule mod_ssl.c>
            SSLEngine on
        SSLCertificateFile     /var/www/clients/client1/web8/ssl/example.org.crt
        SSLCertificateKeyFile     /var/www/clients/client1/web8/ssl/example.org.key
        SSLCertificateChainFile     /var/www/clients/client1/web8/ssl/sub.class1.server.ca.pem
        SSLCACertificateFile     /var/www/clients/client1/web8/ssl/ca.pem
            </IfModule>

        <    Directory /var/www/example.org/web>
                Options FollowSymLinks
            AllowOverride All
            Order allow    ,deny
            Allow from all
            </Directory>
        <    Directory /var/www/clients/client1/web8/web>
                Options FollowSymLinks
            AllowOverride All
            Order allow    ,deny
            Allow from all
            </Directory>



            # suexec enabled
            <IfModule mod_suexec.c>
              SuexecUserGroup web8 client1
            </IfModule>
            # Clear PHP settings of this website
            <FilesMatch "\.ph(p3?|tml)$">
                SetHandler None
            </FilesMatch>
            # php as fast-cgi enabled
        # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
            <IfModule mod_fcgid.c>
                IdleTimeout 300
            ProcessLifeTime 3600
                # MaxProcessCount 1000
                DefaultMinClassProcessCount 0
            DefaultMaxClassProcessCount 100
            IPCConnectTimeout 3
            IPCCommTimeout 360
            BusyTimeout 300
            </IfModule>
        <    Directory /var/www/example.org/web>
                AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper     /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
            Options     +ExecCGI
            AllowOverride All
            Order allow    ,deny
            Allow from all
            </Directory>
        <    Directory /var/www/clients/client1/web8/web>
                AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper     /var/www/php-fcgi-scripts/web8/.php-fcgi-starter .php
            Options     +ExecCGI
            AllowOverride All
            Order allow    ,deny
            Allow from all
            </Directory>


            # add support for apache mpm_itk
            <IfModule mpm_itk_module>
              AssignUserId web8 client1
            </IfModule>

        <    IfModule mod_dav_fs.c>
              # Do not execute PHP files in webdav directory
              <Directory /var/www/clients/client1/web8/webdav>
            <    FilesMatch "\.ph(p3?|tml)$">
                  SetHandler None
                </FilesMatch>
          </    Directory>
              DavLockDB /var/www/clients/client1/web8/tmp/DavLock
              # DO NOT REMOVE THE COMMENTS!
          # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
            </IfModule>


    </    VirtualHost>
    save with ctrl-x

    2. Now let's make a symbolik link of this file into apache2 sites-enabled
    Code:
    sudo ln -s /etc/apache2/sites-available/example.org.https.vhost /etc/apache2/sites-enabled/100-example.org.https.vhost
    3.Proceed to copy all the website SSL files into the ispconfig3 website folder. As you may in the above vhost file, the example.org website is using the folder /var/www/clients/client1/web8/ ... the SSL files need to be copied into the ssl folder /var/www/clients/client1/web8/ssl/
    Once done rename the ssl.key and ssl.crt file into example.org.key and example.org.crt
    Code:
    cd /var/www/clients/client1/web8/ssl/
sudo mv ssl.key example.org.key
sudo mv ssl.crt example.org.crt
    4. You are done and just need to restart apache2
    Code:
    sudo /etc/init.d/apache2 restart
    Not necessary but useful:
    You probably notice each time you restart apache2 with the command:
    Code:
    sudo /etc/init.d/apache2 restart
    you get a bunch of warnings like this:
    Code:
    [warn] NameVirtualHost *:80 has no VirtualHosts
    They are not critical but they tick me off and create a huge error log. Unfortunately ISPConfig3 uses a basic vhost config that we can change by editing the master vhost template file vhost.conf.master located in /usr/local/ispconfig/server/conf/
    1. create a backup file:
    Code:
    cp /usr/local/ispconfig/server/conf/vhost.conf.master /usr/local/ispconfig/server/conf/vhost.conf.master.bk
    2. open vhost.conf.master file:
    Code:
    sudo nano /usr/local/ispconfig/server/conf/vhost.conf.master
    around line 9 you will see:
    Code:
    <VirtualHost {tmpl_var name='ip_address'}:{tmpl_var name='port'}>
    delete
    Code:
    :{tmpl_var name='port'}
    so the line looks like:
    Code:
    <VirtualHost {tmpl_var name='ip_address'}>
    3. save the file, ctrl-x
     
    zapyahoo, Jan 3, 2013
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    With sni, you can run as many ssl sites on one ip and port 443 as you like in apache. Sni is supported by ispconfig out of the box, the above described setup is not required then. All current browsers support sni, only the old internet explorer in windows xp does not support it.

    To use sni, ensure that sni is enabled under system > server config > web. Then you can enable ssl on every site even if they use the same ip address without doing any manual configuration.
     
    till, Jan 3, 2013
    #2
  3. zapyahoo

    zapyahoo Member

    sni is great, give a couple more years for XP to die or drop to 1 or 2% of website visits. You can also google if you want:
    https://en.wikipedia.org/wiki/Server_Name_Indication
    Does not work on Windows XP, even Internet Explorer 8
    Google analytics:
    windows XP is stil used by 25% of users
     
    zapyahoo, Jan 3, 2013
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Internet explorer 8 is old, I know the wikipedia article, posted it a several times here already :)
     
    till, Jan 3, 2013
    #4
  5. zapyahoo

    zapyahoo Member

    Till I agree with you and would never use any kind of internet explorer :) old or new :) Just talking about website statistics, 25% of XP users is still a lot.

    More, in my case, as you may read from other posts of mine, I use SSL mainly for facebook apps, ssl is mandatory, and my websites links are masked by facebook app urls, the user actually never sees my SSL URL:port, they only see the facebook url. Facebook apps are used all over the world where many, many users still run XP and or IE8.
     
    zapyahoo, Jan 3, 2013
    #5
  6. zapyahoo

    zapyahoo Member

    Till, since I grabbed you here. Is there an official API for ipsconfig3?
    Would like to develop an social app or module for the main control panel.
     
    zapyahoo, Jan 3, 2013
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Ispconfig has a remote api, take a look into the remote_client directory in the tar.gz file for example files and api docs.
     
    till, Jan 3, 2013
    #7
  8. zapyahoo

    zapyahoo Member

    Hello Till,

    Was just testing sni, also works fine.
    I found 2 ways of making it work, independent of ispconfig3.
    1. By adding 1 main https.vhost with all SSL hosts
    2. By adding several https vhost files, 1 website per host file with include other https hosts directive.

    Regarding the sni...support in ispconfig3, what system is implemented?
    1. 1 main https vhost file for all websites
    or like I'm guessing,
    2. 1 vhost file per website (with http 80 and https 443) and include all the other https vhost files
     
    zapyahoo, Jan 4, 2013
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig uses one vhost file per website, if ssl is enabled for this site, the ssl vhost is defined in the website file.
     
    till, Jan 4, 2013
    #9
  10. SamTzu

    SamTzu Active Member

    XP & IE8 & Bots

    I keep seeing that claim everywhere but personally don't know anyone who uses WindowsXP or IE8 anymore. I'm skeptical about it's validity. I think it's mostly Bot's that confuse this issue.
     
    SamTzu, Jan 12, 2013
    #10
  11. JoeFresco

    JoeFresco New Member

    I think blaming bots just because you don't know anyone is shortsighted. There are a lot of possibilities... people using 4 year old computers and aren't computer savvy (this is very common) and people using what the IT dept set up, and they only allow IE and XP.

    I do web development work that caters to auto dealerships, and nearly all of them are still using XP -- It was just in the last year that we've seen a dramatic drop in IE6 usage even though IE8 has been out for years. IE7 is currently tied with IE8 for the most popular browser used to access our site.

    I just did some analysis on statowl.com and determined that 50% use IE and 30% of IE users are using XP then 15% of US-based internet users are using IE on XP. I did this little exercise because I wanted to know if I switched to SNI on my general server how many people would be disenfranchised.
     
    JoeFresco, Jan 20, 2013
    #11

Share This Page