Godaddy SSL certificate and ISPConfig 3 Debian

Well, what about when you comment-out all of the directives that we've added? Can you reach https://www.mytrusteddomain.com:50443/webmail ?

Good. That means that my assessment thus far must be accurate. The problem is that SSL is not working as it should on https://www.mytrusteddomain.com:50443.

Given that you are running SSL over port 50443, ISPConfig's settings are irrelevant. ISPConfig only knows and cares about SSL on port 443.

Frankly, I'm not sure that you actually configured Apache to listen for SSL requests on port 50443.

I can see that the tutorial you cited earlier instructs the reader to change the listening port for ISPConfig to 50443, at the bottom of http://www.howtoforge.com/extending-perfect-server-debian-squeeze-ispconfig-3 , but that would have no effect on the rest of your Apache configuration.

You would have had to modify the virtual host configuration file for mytrusteddomain.com to force it to listen for SSL on port 50443 (because checking the box in ISPConfig's interface inserts port 443 in the vhost configuration file).

So, unless you recall doing that, explicitly, I don't see how SSL could be working for sites other than the ISPConfig control panel on port 50443.

 

Ok I have checked over and over for anything that remotely mentions port 50443 and roundcube. All I can find is what that tutorial says with the mod_rewrite.c syntax.

I have hashed out everything and try to access www.example.com/webmail and it doesn't work gives a 500 error. If I put in https://www.example.com:50443/webmail it also errors out.

This is the error now...

[Wed Feb 08 22:47:56 2012] [error] [client 175.xxx.8.246] SoftException in Application.cpp:221: File "/var/lib/roundcube/index.php" is not in document root of Vhost "/var/www/example.com/web"
[Wed Feb 08 22:47:56 2012] [error] [client 175.xxx.8.246] Premature end of script headers: index.php

What I understand is this code...

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /webmail>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}:50443%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>

in the file /etc/apache2/conf.d/roundcube.conf

... makes it so that when I put /webmail behind any domain I host they are redirected to the roundcube directory.

 

To answer your question on what else have I done in regard to vhosts and listening on 50443... I haven't... Only on ISPConfig.vhost does it mention 50443 no where else... I guess that makes sense though otherwise there would be a conflict??

 

Apache's SuPHP module, which is enabled by default for the FastCGI PHP mode, is preventing Roundcube from being executed because the script (/var/lib/roundcube/index.php) is not within example.com's document root.

The only way around this is to either a) disable SuPHP altogether (bad idea) or b) make an exception for Roundcube.

See my post here for the solution:

Squirrelmail (or Roundcube) downloads file...
http://www.howtoforge.com/forums/showthread.php?p=269706

No. The bit that does that is

Code:

Alias /webmail /var/lib/roundcube

The bit you cited above says, "If mod_rewrite is enabled, mod_ssl is enabled, and the user-agent requested the /webmail resource (URL), then switch-on mod_rewrite's rewriting engine. If the HTTPS (SSL) protocol is not in-use, rewrite all URLs and change them to their secure equivalents on the specified host (current domain in browser's address field) and port (50443)."

For additional help with Roundcube, and some useful configuration tips, see my posts here:

How to upgrade Roundcube 0.3 to 0.7 on Ubuntu 10.04 LTS
http://www.howtoforge.com/forums/showthread.php?t=55729

 

A conflict would not necessarily result. Any number of vhosts may listen on a given port. Consider the fact that most Web-servers host any number of websites on a single port (usually 80). The incoming requests are routed to the appropriate vhost based on the hostname (domain) that is specified in the request. In other words, it is possible run ISPConfig on port 50443 while at the same time serving other domains on the same port.

Now, that said, ISPConfig is not configured to support that out-of-the-box (because ISPConfig does not permit a port number to be specified for websites that it creates/manages, either for plaintext connections or for SSL connections). As such, it doesn't make sense to shoe-horn non-standard configuration directives into equation.

The problem at this point is as I stated previously: SSL is not, in fact, enabled for the domain and port in question.

Before going much further, it bears mention that serving Webmail on port 50443 seems less-than-ideal. There are no security benefits to running services on non-standard ports. Attackers are going to find the service regardless of which port it uses. This is classic "security by obscurity", and it is not effective. I realize that this poor advice is parroted throughout forums on the Internet, but I would advise you to ignore it.

If you are willing to accept this advice, then I am willing to assist you with the setup that I would recommend.

 

G'day Ben,

Yes I would very much like your help in setting it up.

I can understand some (enough to be dangerous to myself) but nowhere near enough. I think that it would be pertinent to start from the beginning.

So all I need to do is the following:

1. ISPConfig on port 443
2. Webmail on port 443 (I want to FORCE SSL to everyone)
3. Direct all hosted domains (www.hosteddomain.com/webmail) to www.trusteddomain.com/webmail
4. Direct www.trusteddomain.com/help to Spiceworks Server also using port 443

Note:

ISPConfig Server (single) - 192.168.10.5 - hostname: server1.trusteddomain.com - Debian system
Spiceworks Server - 192.168.10.7 - hostname: spiceworks.trusteddomain.com - Windows XP

I agree with your comments on the security by obscurity... I think it doesn't do anything much at all. But I followed the tutorial like a good sheep.

Thanks mate

 

Yes, I think it's wise to undo/start over. While the cited tutorial does contain some great tips, it contains a few that will not work for many configurations.

Actually, let's configure ISPConfig to run on port 8080 (the default) or 8443 (another common convention; Plesk, for example, uses this port).

As you noted earlier, all that's necessary to achieve this is a quick edit to ISPConfig's vhost file and

Code:

# service apache2 restart

Yes, the standard SSL port should be used for Webmail. We will focus on forcing SSL for everyone after SSL is configured correctly.

The rules that we established previously will work for this once SSL is configured correctly.

I assume that server1.trusteddomain.com and spiceworks.trusteddomain.com resolve to the same WAN IP address. If this is not the case, then ignore everything I'm about to say.

What you describe in #4 is not possible with your setup; I would have told you this sooner had I seen the networking details that you provided in your last post (sorry if they were provided earlier; I must have missed them).

The reason is that your router's NAT (Network Address Translation) function can forward requests for a given port to one machine (LAN IP address) only.

Consider a user who is trying to reach the Apache Web-server, over SSL, from some remote location on the Internet. Your router receives the request on port 443 and looks to its port-forwarding configuration to determine to which internal (LAN) IP the request should be forwarded. Do you see the problem if both Apache and Spiceworks are running on the same port? The router cannot forward the request to both internal IP addresses simultaneously (to do so would make no sense, as a response to the client would be impossible). This is why in your router's port-forwarding configuration an error will result if you try to forward the same port to two different IP addresses.

So, again, you would need to run Spiceworks and Apache on different ports, even though they are on different servers with different internal (LAN) IP addresses.

If I am correct in these assumptions, then you will need to configure your router's port-forwarding function such that:

1.) Port 8080 (or 8443, if you elect to use that instead) is forwarded to 192.168.10.5;

2.) Port 443 is forwarded to 192.168.10.5, too;

3.) Port XXX (where XXX is the port on which you elect to run Spiceworks) is forwarded to 192.168.10.7.

You should also ensure that each of those IP addresses is either assigned statically, or, alternatively, reserved by MAC address in the router's DHCP configuration. Otherwise, there is a good chance that those IP address assignments will change (e.g., if the power goes out) and everything will go haywire.

 

Okay Ben,

I have changed everything to what you have advised...

ISPConfig is now accepting on 8443
Spiceworks is now accepting on 8080
www.trusteddomain.com/webmail is redirecting to https://www.trusteddomain.com/webmail with the certificate working.

However it doesn't work

tail -f /var/log/ispconfig/httpd/trusteddomain.com/error.log

[Tue Feb 14 17:42:49 2012] [error] [client 124.150.49.198] Premature end of script headers: index.php
[Tue Feb 14 17:43:06 2012] [error] [client 124.150.49.198] SoftException in Application.cpp:221: File "/var/lib/roundcube/index.php" is not in document root of Vhost "/var/www/trusteddomain.com/web"
[Tue Feb 14 17:43:06 2012] [error] [client 124.150.49.198] Premature end of script headers: index.php

It appears to be looking in the directory of trusteddomain.com under the folder /web for the index.php for roundcube which obviously doesn't reside there. Do I need to create a link or something??

Thanks for your help we are making progress because when I put in www.someotherdomain.com/webmail it redirects to https://www.trusteddomain.com/webmail which is exactly what I wanted.

Cheers,
Steve

 

I just found out that if I change ISPConfig.vhost to 8443 the redirect to /webmail doesn't work if its anything but the same port as ISPConfig.

For example:

ISPConfig.vhost is set to 8443
/webmail is set to 50443 port redirect with ssl

doesn't work

ISPConfig.vhost is set to 50443
/webmail is set to 50443 port redirect with ssl

everything works fine!

What I want is this

ISPConfig.vhost set to 8443
/webmail set to 443 with ssl

Any ideas why it needs to be on the same port as ISPConfig to function properly??

 

Actually, PHP is not looking for Roundcube's index.php in the web directory. Rather, Apache is throwing a security exception because PHP is permitted to access scripts within the site's document root only. Obviously, Roundcube resides outside the site's document root, and therefore cannot be executed.

We discussed this issue and the solution previously in this thread. Please see:

http://www.howtoforge.com/forums/showpost.php?p=273200&postcount=44

 

It sounds as though the /webmail redirection code exists somewhere within the ISPConfig vhost configuration, which would explain why the redirect happens only when you hit the ISPConfig vhost (e.g., via port 8443).

In which file did you place the relevant Apache configuration directives (i.e., the mod_rewrite code that is triggering the redirect)?

And please post the directives, too.

 

There is NO webmail anywhere in ispconfig.vhost or ispconfig.conf which are both located in

Code:

/etc/apache2/sites-available/

As listed before the mod_rewrite is place in the following

Code:

/etc/apache2/conf.d/roundcube.conf

Code:

# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
#    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
Alias /webmail /var/lib/roundcube

# Access to tinymce files
<Directory "/usr/share/tinymce/www/">
      Options Indexes MultiViews FollowSymLinks
      AllowOverride None
      Order allow,deny
      allow from all
</Directory>

<Directory /var/lib/roundcube/>
  Options +FollowSymLinks
  # This is needed to parse /var/lib/roundcube/.htaccess. See its
  # content before setting AllowOverride to None.
  AllowOverride All
  order allow,deny
  allow from all

#<IfModule mod_ssl.c>
#  SSLOptions +StrictRequire
#  SSLRequireSSL
#  SSLRequire %{HTTP_HOST} eq "www.trusted domain.com"
#  ErrorDocument 403 https://www.trusteddomain.com/webmail
#</IfModule>

</Directory>

# Protecting basic directories:
<Directory /var/lib/roundcube/config>
        Options -FollowSymLinks
        AllowOverride None
</Directory>

<Directory /var/lib/roundcube/temp>
        Options -FollowSymLinks
        AllowOverride None
        Order allow,deny
        Deny from all
</Directory>

<Directory /var/lib/roundcube/logs>
        Options -FollowSymLinks
        AllowOverride None
        Order allow,deny
        Deny from all
</Directory>

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}:8443%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>

Please note that the above code is what is current and I comment out the mod_rewrite.c section and uncomment out mod_ssl.c

 

I have tried to make heads and tails out of this but it is confusing the stuffing out of me... I know that repeating yourself sucks but could you explain it to me in my situation?

I'm using roundcube

Cheers
Ben

P.S. I will thank you for sure

 

That's okay; the relevant bit may be found here:

http://www.howtoforge.com/forums/showpost.php?p=269706&postcount=34

You need to configure Apache to disable suPHP, which imposes this security restriction, for the Roundcube directory. (Note: It's possible to leave suPHP enabled and configure it to allow access to the Roundcube directory, but quite frankly, doing so is probably more hassle than it's worth.)

This complete example demonstrates disabling suPHP for the /webmail directory. You may need to clip only parts of this, given that you have likely already defined the /webmail Alias and such.

File: /etc/apache/roundcube.conf (note that the symbolic link /etc/apache2/conf.d/roundcube points to this same file)

Code:

Alias /webmail /var/lib/roundcube
<Location /webmail>
  <IfModule suphp_module>
    suPHP_Engine Off
    AddHandler php5-script	.php
  </IfModule>
  php_admin_value open_basedir "/etc/mailname:/etc/hostname:/usr/share/php:/etc/roundcube/:/usr/share/roundcube:/var/log/roundcube:/var/lib/roundcube"
</Location>

(Note that the open_basedir paths listed above apply to Debian/Ubuntu systems; other systems may use different directories. The Apache logs will reveal any issues related to the accuracy of these paths on the system in question.)

Don't forget to reload Apache:

Code:

# service apache2 reload

 

Okay, good.

Again, good; this is the correct location.

The port number should be omitted from the rewrite rule if Apache will be serving secure content on port 443 (the default for SSL), like this:

Code:

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>

Webmail should be accessible over all ports to which Apache is listening, by the way, because Apache loads roundcube.conf for all virtual hosts. In other words, you should be able to see the Webmail interface at https://example.com:8443/webmail/ or https://example.com/webmail/ (port 443).

Any dice?

 

G'day Ben,

I have done what you listed on the two last posts and guess what it works beautifully. Finally www.trusteddomain.com/webmail not only loads up the roundcube directory but it also redirects to https://www.trusteddomain.com/webmail on port 443 which is perfect.

Thank you

Now we just have to do the redirect for clients to this address:

https://www.trusteddomain.com/webmail

if they try to access it from www.example.com/webmail (which is untrusted)

I tried implementing some of the code from earlier and it came up with the following error:

Code:

Syntax error on line 91 of /etc/apache2/conf.d/roundcube.conf:
SSLRequireSSL not allowed here
Action 'configtest' failed.
The Apache error log may have more information.
 failed!

I put this code in there:

Code:

<IfModule mod_ssl.c>
  SSLOptions +StrictRequire
  SSLRequireSSL
  SSLRequire %{HTTP_HOST} eq "www.trusted domain.com"
  ErrorDocument 403 https://www.trusteddomain.com/webmail
</IfModule>

Just want to say thanks a lot here in words as well mate...

 

Hi, Steve, no problem at all. Glad we're making some headway!

I'm not sure why the snippet you posted is throwing a syntax error. I use this very snippet myself.

Do you mind posting the entire contents of roundcube.conf? Maybe there is a missing opening/closing tag somewhere.

 

Code:

# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
#    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
Alias /webmail /var/lib/roundcube

# Access to tinymce files
<Directory "/usr/share/tinymce/www/">
      Options Indexes MultiViews FollowSymLinks
      AllowOverride None
      Order allow,deny
      allow from all
</Directory>

<Directory /var/lib/roundcube/>
  Options +FollowSymLinks
  # This is needed to parse /var/lib/roundcube/.htaccess. See its
  # content before setting AllowOverride to None.
  AllowOverride All
  order allow,deny
  allow from all

</Directory>

# Protecting basic directories:
<Directory /var/lib/roundcube/config>
        Options -FollowSymLinks
        AllowOverride None
</Directory>

<Directory /var/lib/roundcube/temp>
        Options -FollowSymLinks
        AllowOverride None
        Order allow,deny
        Deny from all
</Directory>

<Directory /var/lib/roundcube/logs>
        Options -FollowSymLinks
        AllowOverride None
        Order allow,deny
        Deny from all
</Directory>

<Location /webmail>
  <IfModule suphp_module>
    suPHP_Engine Off
    AddHandler php5-script      .php
  </IfModule>
  php_admin_value open_basedir "/etc/mailname:/etc/hostname:/usr/share/php:/etc/roundcube/:/usr/share/roundcube:/v$
</Location>

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>

I tried adding this to the bottom:

Code:

<IfModule mod_ssl.c>
  SSLOptions +StrictRequire
  SSLRequireSSL
  SSLRequire %{HTTP_HOST} eq "www.trusted domain.com"
  ErrorDocument 403 https://www.trusteddomain.com/webmail
</IfModule>

Didn't work...

 

*FIREWORKS* *APPLAUSE*
IT finally works just great!!!

I was reading through the code and instead of putting this:

Code:

<IfModule mod_ssl.c>
  SSLOptions +StrictRequire
  SSLRequireSSL
  SSLRequire %{HTTP_HOST} eq "www.trusted domain.com"
  ErrorDocument 403 https://www.trusteddomain.com/webmail
</IfModule>

...separately it was meant to go here:

Code:

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>

      SSLOptions +StrictRequire
      SSLRequireSSL
      SSLRequire %{HTTP_HOST} eq "www.trusteddomain.com"
      ErrorDocument 403 [url]https://www.trusteddomain.com/webmail[/url]

      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]

    </Location>
  </IfModule>
</IfModule>

Now it works like a charm.

So in the end I have achieved this:

1. Fixed SSL Certificate for Email and Website
2. ISPConfig to port 8443 - using SSL Certificate
3. Webmail is now on port 443 - using SSL Certificate
4. www.trusteddomain.com/webmail redirects to https://www.trusteddomain.com/webmail
5. www.otherhosteddomain.com/webmail redirects to https://www.trusteddomain.com/webmail
6. Redirected www.trusteddomain.com/help to Spiceworks server (different than ISPConfig server)

All is good in the world once again.

BIG Thanks to Ben (cbj4074) for putting up with me and persevering to the end. You are a real star mate, I appreciate the effort and if your ever in Western Australia I'll buy you a beer

Regards,
Steve

 

Nice work! It's rewarding to see everything come together. You're quite welcome, and I appreciate all the "Thanks" clicks!

Don't forget to backup regularly; it would be a shame to have to redo any of this after a data disaster. (At least the whole process is documented on this forum.)

I'll take you up on that beer if I am ever in western Australia. Cheers!