Hi! I have a wildcard class 2 certificate from StartSSL for the Domain where I host my ISPConfig Interface. I managed to secure the Interface following this tutorial. http://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl So I can now access https://web1.mydomain.tld:8080 and get a nice green symbol in my browser bar. However, I want to be able to login with https://ispconfig.mydomain.tld. I already managed to do this without ssl on another server. I created a website ispconfig.mydomain.tld and put the following in the apache directives: Code: ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://ispconfig2.keplerlabs.at:8080/ ProxyPassReverse / http://ispconfig2.keplerlabs.at:8080/ With SSL I don't know how to do it however. I tried to just use "https" instead of "http" in the apache directive, but that didn't work. I also don't know what I have to put into the fields in the "SSL" tab. Do I just have to copy my class2-certificate.crt into the SSL Certificate field, or do I also need the Key and CSR files?
You will have to enable ssl in that website, then copy the ssl key, cert and bundle into the fields on the ssl tab of the website and select "save certificate" as action.
Ok, I did that, but i get the following error in the browser, when i go to https://ispconfig.mydomain.tld "SSL Verbindungsfehler Es kann keine sichere Verbindung zum Server hergestellt werden. Möglicherweise liegt ein Problem mit dem Server vor oder es ist ein Client-Authentifizierungszertifikat erforderlich, das Sie nicht haben. Fehlercode: ERR_SSL_PROTOCOL_ERROR" I pasted this into the bundle field: https://www.startssl.com/certs/ca-bundle.pem In the key field, I tried both, the key with password, and the key without password, but both didnt work. also, in my ssl-folder on the server, "*.err" files are created. (e.g. ispconfig.mydomain.tld.crt.err...)
Allright, I got it working. My mistake was, that i used the password protected private key, and not the one without a passphrase. I then got different errors with proxy_module and SSLProxyEngine, which was easy to solve after some logfile-checking. So, for my future self, and other ISP-Configurers who might be interested: Here's what I did to make the ISPConfig Interface available via subdomain, using SSL, e.g.: https://ispconfig.mydomain.tld. First, setup your SSL Certificate for the ISPConfig Interface like so: http://www.howtoforge.com/securing-your-ispconfig-3-installation-with-a-free-class1-ssl-certificate-from-startssl Install and activate apache proxy module. Make sure your proxy_module also loads proxy_http_module (discussed here: http://www.forums.serverwatch.com/showthread.php?16887-mod_proxy-problem. You can check with Code: apache2ctl -M | grep proxy Create a new website in ISPConfig (e.g. ispconfig.mydomain.tld) Enable SSL and paste your key (without passphrase), certificate and ca-bundle into the appropriate fields in the SSL-tab. Use "save certificate" as SSL-Action. Go to the "Options" tab and put the following in the "Apache Directives" field: Code: ProxyRequests Off SSLProxyEngine On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / https://ispconfig.mydomain.tld:8080/ ProxyPassReverse / https://ispconfig.mydomain.tld:8080/ If you also want to redirect all http traffic to https, add this to the Apache Directives field: Code: RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
Ok, after i successfully handled this in apache, I need to achieve the same configuration in nginx... So, to reiterate: I want to be able to access the ISPConfig admin panel via "https://ispconfig.mydomain.tld", but this time on an nginx installation. Above I summarized how to do this with apache, but I have been unable to reproduce this on the nginx server, because I don't know how to translate the apache directive into nginx directives. Any help would be very appreciated!
Ok, I'm having a first success with this nginx directive: Code: location / { proxy_pass http://ispconfig.mydomain.tld:8080/; proxy_set_header X-Real-IP $remote_addr; # original host uses built-in $host variable, replace it with desired name # proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host ispconfig.mydomain.tld/ } however, when I go to ispconfig.mydomain.tld in my browser, the :8080 is still added to the url - it would be nicer if this could be removed shomehow. Any ideas?
Ok, I did some additional configuration to make it work for my phpmyadmin and roundcube interfaces as well. Here's my configuration that let's my users connect to the following urls: ispconfig.example.tld ispconfig.example.tld/webmail ispconfig.example.tld/roundcube ispconfig.example.tld/phpmyadmin All this urls get rewritten to https://url:PortNr First, do points 1 and 3 from the apache "tutorial" I described above. (points 2 and 4 are not necessary with nginx) Put the following into the nginx-directives field under the options tab of your ispconfig.example.tld website: Code: location / { proxy_pass http://ispconfig.example.tld:8080/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host ispconfig.example.tld; } location /roundcube { include proxy_params; proxy_pass http://ispconfig.example.tld:8081/roundcube; } location /phpmyadmin { include proxy_params; proxy_pass http://ispconfig.example.tld:8081/phpmyadmin; } location /webmail { include proxy_params; proxy_pass http://ispconfig.example.tld:8081/webmail; } I've also had to make some changes in the apps.vhost file (changes are in bold). Be aware that ispconfig will overwrite the apps.vhost file if you update ISPConfig for example. There are better ways to make changes here (include an extra vhost-file for example..) but I don't really need that, because I use puppet to manage this file. Code: server { listen 8081; server_name _; root /var/www/apps; client_max_body_size 20M; [B] #ssl cert ssl on; ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.pem; ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key; # redirect to https if accessed with http error_page 497 https://$host:8081$request_uri;[/B] location / { index index.php index.html; } # serve static files directly location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ { access_log off; } location ~ \.php$ { try_files $uri =404; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param HTTPS $https; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; fastcgi_pass unix:/var/lib/php5-fpm/apps.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; } location ~ /\. { deny all; } location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; location ~ ^/phpmyadmin/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param HTTPS $https; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; # To access phpMyAdmin, the default user (like www-data on Debian/Ubuntu) must be used fastcgi_pass 127.0.0.1:9000; #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_read_timeout 240; } location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } location /phpMyAdmin { rewrite ^/* /phpmyadmin last; } location /roundcube { root /var/lib/; index index.php index.html index.htm; location ~ ^/roundcube/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param HTTPS $https; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; # To access SquirrelMail, the default user (like www-data on Debian/Ubuntu) must be used fastcgi_pass 127.0.0.1:9000; #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; } location ~* ^/roundcube/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /var/lib/; } } location /webmail { rewrite ^/* /roundcube last; } location /cgi-bin/mailman { root /usr/lib/; fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param HTTPS $https; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/fcgiwrap.socket; } location /images/mailman { alias /usr/share/images/mailman; } location /pipermail { alias /var/lib/mailman/archives/public; autoindex on; } If you want the links which lead to phpmyadmin and webmail in the ispconfig interface to work with ispconfig.example.tld, you need to make some changes in System->Main Config. My PhpMyAdmin URL goes like this for example: https://ispconfig.example.tld:8081/phpmyadmin I don't know if this is the ideal solution, or if there are some things you can do better / more easy, but so far it works for me. If anybody has any corrections or better solutions, please feel free to correct me.
