[SOLVED] Enabling ssl with only one domain pointing to site

duceduc · 09-06-2010, 07:48 PM

My test server is going well for the past 2 months. I have learned a lot from searching the net for how to's and forums on questions I have. My next task on the to-do list is enabling ssl on my mail server. I have the ssl setup with an automatic redirect from http to https. It is working fine with a minor issue.

I have 2 domains and several subdomains on the server. Since I have enabled ssl, it seems for any of the domain/subdomain links I type in with a https://, it takes me to my mail server site. How can I have it set to only one secure link to my mail server?

If you need to see a file conf, please let me know. Thank you.

bathory · 09-07-2010, 12:37 AM

Quote:

If you need to see a file conf, please let me know. Thank you.

That would be nice. Also what distro and web server you're running

Regards

duceduc · 09-07-2010, 01:16 AM

Thank you for your reply.

I have a Ubuntu 10.4 Lucid running apache2.
I didn't know what file you wanted to see, so I posted my default-ssl vhost.

Quote:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/squirrelmail
ServerName webmail.domain.com
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/ssl_access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/intermediate.crt

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

bathory · 09-07-2010, 02:45 AM

Well, you should post the file (maybe apache2.conf?) where you do the redirect for http to https.

Anyway you can put the following in a .htaccess file in the /var/www/squirrelmail directory:

Code:

RewriteEngine on

RewriteCond %{HTTP_HOST} !^webmail.domain.com$ [NC]
RewriteRule (.*) http://other.nossl-domain.com [R,L]

You also need to change the AllowOverride to All for apache to read .htaccess:

Code:

<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

and make sure mod_rewrite is enabled:

Code:

sudo a2enmod rewrite

duceduc · 09-07-2010, 03:39 AM

I had my redirect in a .htaccess in squirrelmail dir

Code:

DirectoryIndex index.php
IndexIgnore */*

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
</IfModule>
</IfModule>

Let me see if I follow what you wrote. By adding this code to my existing .htaccess file, I am redirecting any domain/subdomain starting with a https to a site of my choice?

Code:

RewriteEngine on

RewriteCond %{HTTP_HOST} !^webmail.domain.com$ [NC]
RewriteRule (.*) http://other.nossl-domain.com [R,L]

bathory · 09-07-2010, 04:18 AM

Quote:

I had my redirect in a .htaccess in squirrelmail dir

Are you sure it's in the squirrelmail dir (/var/www/squirrelmail)?
Your rewrite stuff checks if the request is done through ssl and if not it forces the client to use ssl. If it's in the webmail server docroot, then there should be no problem with the other vhost as it use a different docroot.
BTW you can do the opposite with the 2nd vhost to turn off ssl for that vhost.

My rewrite stuff checks if the requested host is webmail.domain.com and if not it redirects the client to the non-secure 2nd vhost.

duceduc · 09-07-2010, 04:52 AM

Quote:

Your rewrite stuff checks if the request is done through ssl and if not it forces the client to use ssl. If it's in the webmail server docroot, then there should be no problem with the other vhost as it use a different docroot.

With this code in the .htaccess now, it is redirecting any https links that is not webmail.domain.com to http://other.nossl-domain.com.

Yes, the .htaccess is in /var/www/squirrelmail
This is how my .htaccess looks like now.

Code:

DirectoryIndex index.php
IndexIgnore */*

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
</IfModule>

RewriteCond %{HTTP_HOST} !^webmail.domain.com$ [NC]
RewriteRule (.*) http://other.nossl-domain.com [R,L]

This is my squirrelmail non ssl vhost file.

Code:

#Alias /squirrelmail /usr/share/squirrelmail

IndexIgnore */*

<Directory /usr/share/squirrelmail>
Options Indexes FollowSymLinks
<IfModule mod_php5.c>
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>

# access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>

<VirtualHost *:80>
DocumentRoot /var/www/squirrelmail
ServerName webmail.domain.com
</VirtualHost>

bathory · 09-07-2010, 05:44 AM

Quote:

With this code in the .htaccess now, it is redirecting any https links that is not webmail.domain.com to http://other.nossl-domain.com.

Isn't that what you want to do?

Quote:

it seems for any of the domain/subdomain links I type in with a https://, it takes me to my mail server site. How can I have it set to only one secure link to my mail server?

Or I've missed something?

duceduc · 09-07-2010, 06:00 AM

I wasn't clear what that rewrite did. Yes, that is what I wanted to do.

Also, I didn't realize after enabling ssl, all domains were effected by it. I thought I had my vhost files misconfigured.

Thank you much for the help.