hello, I was using serveralias mail.* inside /etc/apache2/apache2 so that everybody trying to access my webmail with his domain aka mail.whateverdomain hosted on my server got to the webmail but now I would like to implement hhtps access for this purpose. can anyone give me a step4step description?
I have been doing some reading and found some howtos. one states this: meaning that as commonname I have to enter the exact url as it will be entered later in the browser. what I wnt to do is use https for my manually made virtual host which uses serveralias mail.* if I set common name to mai.myprimarydomain.com I guess all other clients using mail.theirdomain.com will get an error?
If you have an SSL Certificate for 'mail.primarydomain.com' you can use if for all domains (i.e. mail.whateverdomain.com...) however you will receive a *warning* message. The certificate will work, the connection will be encrypted.... but the client will receive the warning "Hostname Mismatch". That said, the client could simply click "continue" to continue... but we all know that even though the customer is always right, they aren't always smart... meaning... half the people will think that the page doesn't work and will then send you emails everyday until you come up with another solution. Personally.... I would offer this solution: Create the virtual host for 'mail.*' with a redirect to 'mail.primarydomain.com'. Such as: Code: <VirtualHost 192.168.1.1:80> ServerName mail.* DocumentRoot /path/to/something RedirectPermanent / "https://mail.primarydomain.com" </VirtualHost> This way, you can tell your client to go to 'http://mail.theirdomain.com' and they will seamlessly be redirected to HTTPS on the primary domain (That has a valid certificate). If you find you have a few clients that don't like this.... you can offer to have their own 'mail.theirdomain.com' without the redirect.... however they will have to purchase their own certificate. You can mix 'mail.whoateverdomain.com' VirtualHosts.... and also the 'mail.*' VirtualHost.... however, the catchall 'mail.*' VirtualHost must be after all of the other 'mail.whateverdomain.com' VirtualHosts.... if that makes sense.
thx for helping, I'll qutoe some of your answers with questions of mine: the same error my clients get when they use https://theirdomain:81 or https://theirdomain:81/phpmyadmin right? I got them used to this..... as the certificate was done for https://myprimarydomain:81 that would not be a problem like I just explained. by seamless what do you mean? can I have the redirect working so that the url does not change? that would confuse a user more than a warning about a certificate (talking about my experience) I guess I also would need more IPs for this :-( can you give me some more instructions? I already found a howto create ssl certificates, but I still need some more info: could you maybe paste a https enable vhost entry here? can you give me a link to a working/good certificate authority that gives away free certificates and is "well-known"?
No, the URL will change. Here you go: Code: <IfModule mod_ssl.c> <VirtualHost 1.2.3.4:443> ServerName secure.example.com ServerAdmin [email protected] DocumentRoot /var/www/web2/web DirectoryIndex index.html index.htm index.php index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm ScriptAlias /cgi-bin/ /var/www/web2/cgi-bin/ AddHandler cgi-script .cgi AddHandler cgi-script .pl ErrorLog /var/www/web2/log/error.log AddType application/x-httpd-php .php .php3 .php4 .php5 php_admin_flag safe_mode On php_admin_value open_basedir /var/www/web2/ php_admin_value file_uploads 1 php_admin_value upload_tmp_dir /var/www/web2/phptmp/ php_admin_value session.save_path /var/www/web2/phptmp/ AddType text/html .shtml AddHandler server-parsed .shtml SSLEngine on SSLCertificateFile /var/www/web2/ssl/secure.example.com.crt SSLCertificateKeyFile /var/www/web2/ssl/secure.example.com.key ErrorDocument 400 /error/invalidSyntax.html ErrorDocument 401 /error/authorizationRequired.html ErrorDocument 403 /error/forbidden.html ErrorDocument 404 /error/fileNotFound.html ErrorDocument 405 /error/methodNotAllowed.html ErrorDocument 500 /error/internalServerError.html ErrorDocument 503 /error/overloaded.html AliasMatch ^/~([^/]+)(/(.*))? /var/www/web2/user/$1/web/$3 AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web2/user/$1/web/$3 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule> Also have a look here: http://httpd.apache.org/docs/2.0/ssl/ There's no free CA that is recognized by almost all browsers... I buy my certificates at instantssl.com, they are not that expensive.
and there is no way to enter mail.* as common name? would that give an error everytime I typed in mail.primarydomain.com, mail.secondarydomain.com etc. ? ###edit### still curious about that question, meanwhile some others: I went ahead and created and signed a test certificate, then I tried using a redirect from http to https like this: the vhost below I modified according to falko and inserted the paths to my certificate and key. then I thought about redirecting http to https and created the vhost above, which only contains the redirect and everything works I have not noticed any problems so far but it still looks strange to me. shouldn't it have a ServerAlias or ServerNAme so that it only redirect requests coming to mail.whatever:80 to maikl.whatever:443? I would expect my server to try and redirect any request to port 443 but it does not, all sites are stilll functional, can somebody explain this behavior? could I not modify the rewrite rule like this : so that only requests to mail.whatever get rewritten? what is the most elegant alternative?
No. Yes, you should have ServerName in the first vhost. Are these two vhosts you added the last ones in your Apache configuration? Then all other vhosts are still operational. If they were the first ones, for example, then all requests on 85.214.51.208 would go to them.
well actually they are not the last ones, you can have a look at my apache2.conf here: http://www.howtoforge.com/forums/showthread.php?t=6338 thats what I find kinda strange, after these 2 vhosts the virtualhosts of ispcfg get loaded ... I expecterd you to be right that no other vhost would work, but they still do... so you mean I need a servername in the first one? can I use the same servername and serveralias as the second vhost uses?
Well, you first have this section: Code: <Directory /var/www/sharedip> Options +Includes -Indexes AllowOverride None AllowOverride Indexes AuthConfig Limit FileInfo Order allow,deny Allow from all <Files ~ "^\.ht"> Deny from all </Files> </Directory> ###############ispconfig_log############### LogFormat "%v||||%b||||%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig CustomLog "|/root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_%d" combined_ispconfig <Directory /var/www/*/web> Options +Includes -Indexes AllowOverride None AllowOverride Indexes AuthConfig Limit FileInfo Order allow,deny Allow from all <Files ~ "^\.ht"> Deny from all </Files> </Directory> <Directory /var/www/*/user/*/web> Options +Includes -Indexes AllowOverride None AllowOverride Indexes AuthConfig Limit FileInfo Order allow,deny Allow from all <Files ~ "^\.ht"> Deny from all </Files> </Directory> <Directory /var/www/*/cgi-bin> Options ExecCGI -Indexes AllowOverride None AllowOverride Indexes AuthConfig Limit FileInfo Order allow,deny Allow from all <Files ~ "^\.ht"> Deny from all </Files> </Directory> then your vhosts, and then the first section again which means the vhosts from the first section are loaded before your vhosts (and afterwards they are loaded again...).
ok, so here is my new order: <Directory /var/www/sharedip>... <Directory /var/www/*/web>... <Directory /var/www/*/user/*/web>... <Directory /var/www/*/cgi-bin>... then my 2 vhosts mail.* and the redirect to https then as a last point the vhost file of ispcfg gets included. is this order right? can I do it like this?
I'd put your vhosts right at the end, because otherwise you'll get problems with ISPConfig updates (because the installer is looking exactly for the configuration that was added when ISPConfig was installed the first time). I think so.
