Hi all, In the continuation of this thread ( http://www.howtoforge.com/forums/showthread.php?t=45898 ) I really wonder how ispconfig changes his configuration. I can notice some behavior I don't understand (surely because of ONE thing I can't understand, but which one !) 1- I can see that all symbolic links of web software can't work with the domain which is now attached to this new IP address : squirrelmail, roundcube, phpmyadmin, munin... One solution was to add the folder of theses folders in the "PHP open_basedir" field (which is limited ! Is it normal ?) But why is it now a necessity whereas it wasn't with the "main" IP ? 2 - I can see that the wiki of this website (a dokuwiki) is now in readonly, but no file were modify to do this, except the new IP in Ispconfig... 3 - In addition, the ispconfig interface is not under the new certificat (on port 444 for example), I don't know how to use the new certificat for ispconfig interface, because when I do the change in the ispconfig vhost file, I fall on an error in firefox... 4 - I would like to force people to use the https of this domain, I think I can do this by erase all about the port 80 in the domain's vhost file, but can't it be possible by ispconfig ? 5 - I'm searching a way to use the new certificat for courier, postfix, pureftpd, for this domain... Is it possible to define which domain goes with which certificat ? Please, tell me I'm wrong somewhere !
And maybe the all-in-one answer : What does the field "HTTP NameVirtualHost" mean in the ip addresses menu ? I untick that, and it seems to be really good .
The misunderstanding is that you try to access services trough the domain of your customers instead of using our company domain or the hostname of the server. For example: ISPConfig has to be accessed always with serverhostname:8080 or IP:8080 and never clientdomain:8080 if you want to use SSL as SSL cert is only for the domain you registered it for. Same for webmail, phpmyadmin etc. You access all these services trough the server hostname or a dedicated site and never trough the domain of a client. Accessing them trough the domain of the client and adding the path to the open_basedir is a security risk that makes it possible to read even mysql passwords under some circumstances as you give your clients control over these directories which are shared to all other clients. It enables you to use IP based vhosts. Thats e.g. nescessary to use SSL.
I've never changed the open_basedir field before today, but I can see that without the "HTTP NameVirtualHost" option, everything seems to work great now. That's why I'm wondering about your last sentence... it wouldn't be working, is it ? Your opinion about "central access" is a good point of view, but by default, every domain can access to squirrelmail, roundcube, phpmyadmin and munin. I surely have to change this but ispconfig seems to be configured like this by default, isn't it ? last comment : This is effectively the "main" website that has this new SSL certificat and the goal is to protect this central services... In fact, I agree with you for all you said, the difficulty is to make it works !
https only @Yoplait, If you want to force your clients to use SSL (https) for your website, then add these lines to the "Options" tab of your website with SSL certicate in ISPConfig3: Code: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
