LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-06-2010, 08:48 PM   #1
duceduc
LQ Newbie
 
Registered: Aug 2010
Posts: 8

Rep: Reputation: 0
Enabling ssl with only one domain pointing to site


My test server is going well for the past 2 months. I have learned a lot from searching the net for how to's and forums on questions I have. My next task on the to-do list is enabling ssl on my mail server. I have the ssl setup with an automatic redirect from http to https. It is working fine with a minor issue.

I have 2 domains and several subdomains on the server. Since I have enabled ssl, it seems for any of the domain/subdomain links I type in with a https://, it takes me to my mail server site. How can I have it set to only one secure link to my mail server?

If you need to see a file conf, please let me know. Thank you.
 
Old 09-07-2010, 01:37 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,523

Rep: Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503
Quote:
If you need to see a file conf, please let me know. Thank you.
That would be nice. Also what distro and web server you're running

Regards
 
Old 09-07-2010, 02:16 AM   #3
duceduc
LQ Newbie
 
Registered: Aug 2010
Posts: 8

Original Poster
Rep: Reputation: 0
Thank you for your reply.

I have a Ubuntu 10.4 Lucid running apache2.
I didn't know what file you wanted to see, so I posted my default-ssl vhost.
Quote:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/squirrelmail
ServerName webmail.domain.com
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/ssl_access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/intermediate.crt

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>


<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>


BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>
 
Old 09-07-2010, 03:45 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,523

Rep: Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503
Well, you should post the file (maybe apache2.conf?) where you do the redirect for http to https.

Anyway you can put the following in a .htaccess file in the /var/www/squirrelmail directory:
Code:
RewriteEngine on

RewriteCond %{HTTP_HOST} !^webmail.domain.com$ [NC]
RewriteRule (.*) http://other.nossl-domain.com [R,L]
You also need to change the AllowOverride to All for apache to read .htaccess:
Code:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
and make sure mod_rewrite is enabled:
Code:
sudo a2enmod rewrite
 
Old 09-07-2010, 04:39 AM   #5
duceduc
LQ Newbie
 
Registered: Aug 2010
Posts: 8

Original Poster
Rep: Reputation: 0
I had my redirect in a .htaccess in squirrelmail dir
Code:
DirectoryIndex index.php
IndexIgnore */*

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
</IfModule>
</IfModule>
Let me see if I follow what you wrote. By adding this code to my existing .htaccess file, I am redirecting any domain/subdomain starting with a https to a site of my choice?
Code:
RewriteEngine on

RewriteCond %{HTTP_HOST} !^webmail.domain.com$ [NC]
RewriteRule (.*) http://other.nossl-domain.com [R,L]
 
Old 09-07-2010, 05:18 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,523

Rep: Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503
Quote:
I had my redirect in a .htaccess in squirrelmail dir
Are you sure it's in the squirrelmail dir (/var/www/squirrelmail)?
Your rewrite stuff checks if the request is done through ssl and if not it forces the client to use ssl. If it's in the webmail server docroot, then there should be no problem with the other vhost as it use a different docroot.
BTW you can do the opposite with the 2nd vhost to turn off ssl for that vhost.

My rewrite stuff checks if the requested host is webmail.domain.com and if not it redirects the client to the non-secure 2nd vhost.
 
Old 09-07-2010, 05:52 AM   #7
duceduc
LQ Newbie
 
Registered: Aug 2010
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Your rewrite stuff checks if the request is done through ssl and if not it forces the client to use ssl. If it's in the webmail server docroot, then there should be no problem with the other vhost as it use a different docroot.
With this code in the .htaccess now, it is redirecting any https links that is not webmail.domain.com to http://other.nossl-domain.com.

Yes, the .htaccess is in /var/www/squirrelmail
This is how my .htaccess looks like now.
Code:
DirectoryIndex index.php
IndexIgnore */*

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
</IfModule>

RewriteCond %{HTTP_HOST} !^webmail.domain.com$ [NC]
RewriteRule (.*) http://other.nossl-domain.com [R,L]
This is my squirrelmail non ssl vhost file.
Code:
#Alias /squirrelmail /usr/share/squirrelmail

IndexIgnore */*

<Directory /usr/share/squirrelmail>
Options Indexes FollowSymLinks
<IfModule mod_php5.c>
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>

<VirtualHost *:80>
DocumentRoot /var/www/squirrelmail
ServerName webmail.domain.com
</VirtualHost>

Last edited by duceduc; 09-07-2010 at 06:18 AM.
 
Old 09-07-2010, 06:44 AM   #8
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,523

Rep: Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503
Quote:
With this code in the .htaccess now, it is redirecting any https links that is not webmail.domain.com to http://other.nossl-domain.com.
Isn't that what you want to do?
Quote:
it seems for any of the domain/subdomain links I type in with a https://, it takes me to my mail server site. How can I have it set to only one secure link to my mail server?
Or I've missed something?
 
Old 09-07-2010, 07:00 AM   #9
duceduc
LQ Newbie
 
Registered: Aug 2010
Posts: 8

Original Poster
Rep: Reputation: 0
I wasn't clear what that rewrite did. Yes, that is what I wanted to do.

Also, I didn't realize after enabling ssl, all domains were effected by it. I thought I had my vhost files misconfigured.

Thank you much for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Enabling full routing site to site with openvpn, not using masquerading. Tried quagga pwn Linux - Networking 3 07-30-2010 07:31 AM
creating an SSL page under non SSL site with apache1.33? taiwf Linux - Software 1 06-27-2006 02:06 AM
Domain - DNS Pointing wizzkid8 Linux - Networking 5 03-14-2006 01:55 AM
domain pointing to a specific folder dominant Linux - Software 3 01-28-2004 03:49 AM
Newb: Pointing my domain name to my linux server once here Linux - Networking 2 09-08-2003 05:57 PM


All times are GMT -5. The time now is 01:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration