I have a site (www.mydomain.com) and want one page to be secure. I set up a new site (secure.mydomain.com) and created an SSL certificate. When I enter https://secure.mydomain.com, it asks for a username and password. Is this right? Also, it still allows me to go to http://secure.mydomain.com. I want it to only be able to access the page securely. Also, I read somewhere that you can only have one certificate per IP address. Is there a way to use the same certificate I use to login to ISPConfig login on the one form so I don't have to use another IP address? Thanks.
ISPConfig is on port 81, so the SSL certificate on ISPConfig does not confflict with the ssl certificate on port 443. You may have one SSL certificate per IP address on every port.
I made a new site, enabled SSL, filled out the information, and created a certificate. I didn't copy and paste anything because I just want a self-signed certificate for now. When I went to secure.mydomain.com, the page still pulls up with http rather than https . . . and it asks for a username and password. Code: To view this page, you need to log in to area “unspecified” on secure.mydomain.com. How do I fix these two issues?
Yes. When I go to https://secure.mydomain.com, it asks me to accept the certificate, which I expect, then asks me for a username and password, which I did not expect. I do not even know which username and password it wants, but, even if I did, I wouldn't want users to have to enter it each time. So, two issues: 1) I would like to force it to go to secure only, so if someone enters http, it goes to https. 2) I don't want visitors to have to enter a username and password every time they pull up the page. Thanks.
The password is not requested by ISPConfig or the ssl certificate. Please make sure that you did not add any .htaccess file to the directory of the website and that you are really login to your current site.
I'm positive I did not add one. I created the site specifically for this. All I have done is created the site and added the certificate. I can go to http://secure.mydomain.com without entering a username and password.
What's in Vhosts_ispconfig.conf, and what's the document root of the https://secure.mydomain.com web site? Please check that directory for an .htaccess file.
Vhosts_ispconfig.conf: Code: root@server1:/# vim /etc/apache2/vhosts/Vhosts_ispconfig.conf AddOutputFilter INCLUDES .shtml Alias /error/ "/var/www/web3/web/error/" ErrorDocument 400 /error/invalidSyntax.html ErrorDocument 401 /error/authorizationRequired.html ErrorDocument 403 /error/forbidden.html ErrorDocument 404 /error/fileNotFound.html ErrorDocument 405 /error/methodNotAllowed.html ErrorDocument 500 /error/internalServerError.html ErrorDocument 503 /error/overloaded.html AliasMatch ^/~([^/]+)(/(.*))? /var/www/web3/user/$1/web/$3 AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web3/user/$1/web/$3 </VirtualHost> # <IfModule mod_ssl.c> <VirtualHost 192.168.0.100:443> ServerName secure.mydomain.com:443 ServerAdmin [email protected] DocumentRoot /var/www/web3/web DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm ScriptAlias /cgi-bin/ /var/www/web3/cgi-bin/ AddHandler cgi-script .cgi AddHandler cgi-script .pl ErrorLog /var/www/web3/log/error.log AddType application/x-httpd-php .php .php3 .php4 .php5 <Files *.php> SetOutputFilter PHP SetInputFilter PHP </Files> <Files *.php3> SetOutputFilter PHP SetInputFilter PHP </Files> <Files *.php4> SetOutputFilter PHP SetInputFilter PHP </Files> <Files *.php5> SetOutputFilter PHP SetInputFilter PHP </Files> php_admin_flag safe_mode On php_admin_value open_basedir /var/www/web3/ php_admin_value file_uploads 1 php_admin_value upload_tmp_dir /var/www/web3/phptmp/ php_admin_value session.save_path /var/www/web3/phptmp/ AddType text/html .shtml AddOutputFilter INCLUDES .shtml SSLEngine on SSLCertificateFile /var/www/web3/ssl/secure.mydomain.com.crt SSLCertificateKeyFile /var/www/web3/ssl/secure.mydomain.com.key Alias /error/ "/var/www/web3/web/error/" ErrorDocument 400 /error/invalidSyntax.html ErrorDocument 401 /error/authorizationRequired.html ErrorDocument 403 /error/forbidden.html ErrorDocument 404 /error/fileNotFound.html ErrorDocument 405 /error/methodNotAllowed.html ErrorDocument 500 /error/internalServerError.html ErrorDocument 503 /error/overloaded.html AliasMatch ^/~([^/]+)(/(.*))? /var/www/web3/user/$1/web/$3 AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web3/user/$1/web/$3 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule> # Code: root@server1:/# ls /var/www/web3/web error index.html stats
What about inserting this into the vHost of your subdomain: Code: SSLRequireSSL Then you shouldn't be able to access the site without SSL.
Code: root@mail:~# ls -la /var/www/web3/web total 24 drwxrwxr-x 4 mydomain.com_secure web3 4096 2007-07-14 04:00 . drwxr-xr-x 8 mydomain.com_secure web3 4096 2007-07-23 14:47 .. drwxrwxr-x 2 mydomain.com_secure web3 4096 2007-07-13 15:45 error -rw-rw-r-- 1 mydomain.com_secure web3 4456 2007-07-22 05:39 index.html drwxr-xr-x 2 mydomain.com_secure web3 4096 2007-07-14 04:00 stats root@mail:~# ls -la /var/www/web3/ total 40 drwxr-xr-x 8 mydomain.com_secure web3 4096 2007-07-23 14:47 . drwxr-xr-x 8 root root 4096 2007-07-13 15:45 .. drwxrwxr-x 2 mydomain.com_secure web3 4096 2007-07-13 15:45 cgi-bin -rw------- 1 mydomain.com_secure web3 24 2007-07-22 05:39 .forward drwxr-xr-x 3 mydomain.com_secure web3 4096 2007-07-14 00:30 log lrwxrwxrwx 1 root root 46 2007-07-22 05:39 Maildir -> /var/www/web3/user/mydomain.com_secure/Maildir drwxrwxrwx 2 mydomain.com_secure web3 4096 2007-07-13 15:45 phptmp -rw-r--r-- 1 root root 520 2007-07-22 05:39 .procmailrc drwxr-xr-x 2 mydomain.com_secure web3 4096 2007-07-13 15:47 ssl drwxr-xr-x 3 mydomain.com_secure web3 4096 2007-07-21 00:23 user lrwxrwxrwx 1 root root 54 2007-07-22 05:39 .vacation.cache -> /var/www/web3/user/mydomain.com_secure/.vacation.cache drwxrwxr-x 4 mydomain.com_secure web3 4096 2007-07-14 04:00 web and this is the message I get when I try to access https://secure.mydomain.com: Code: To view this page, you need to log in to area “unspecified” on secure.mydomain.com. Your log-in information will be sent securely.
Code: root@mail:~# dig secure.mydomain.com ; <<>> DiG 9.3.4 <<>> secure.mydomain.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38353 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;secure.mydomain.com. IN A ;; ANSWER SECTION: secure.mydomain.com. 86400 IN A 166.70.145.195 ;; Query time: 1 msec ;; SERVER: 172.16.10.3#53(172.16.10.3) ;; WHEN: Tue Jul 24 08:14:51 2007 ;; MSG SIZE rcvd: 53 root@mail:~# Also, when I am asked to review the certificate, the information on the certificate does not match what I entered in the SSL tab. When I go to any of my sites with https, it gives me the same thing. Did it not create the certificate?
