1 Topic by arondsmithy

  • arondsmithy
  • Member
  • Offline
  • Registered: 2013-12-10
  • Posts: 14

Topic: HTTPS Wildcard: Subdomains problem

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Linux/BSD distribution name and version: RHEL 6
- Related log if you're reporting an issue:
====

By default, the combined httpd.conf and ssl.conf contain a Listen 80 and a Listen 443.   After adding a real certified wildcard certificate,  virtual hosts seem to be only work as before: when connecting with http://, it goes straight to www.domain.com; when connecting with https://, it goes straight to anything.domain.com (it is supposed to be mail.domain.com). Both are on the same IP.

Despite having a wildcard certificate, and going through all the various setups listed here and elsewhere (e.g., you cant do it on a single IP, you can, NameVirtualHost, Virtualhost 80 and 443s, default:443, etc), it seems impossible to have https:// for both subdomains. Putting the key directives in both the Listen 80 configuration and the Listen 443 configuration Apache will either throw an error on restart, or will get the subdomains confused.

The end goal is to have the following available:

http://www.domain.com (main page), https://www.domain.com (main page HTTPS), https://mail.domain.com (webmail, HTTPS)

So far, only can do http://www.domain.com and https://mail.domain.com at best;  but the goal is to get www.domain.com also working on both http and https (subdomain2 should be https only).

Should be simple, but not so!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: HTTPS Wildcard: Subdomains problem

arondsmithy wrote:

So far, only can do http://www.domain.com and https://mail.domain.com at best;  but the goal is to get www.domain.com also working on both http and https (subdomain2 should be https only).

Do you configure Apache to use HTTPS for 'www.domain.com'? Show us your configurations.

3 Reply by arondsmithy

  • arondsmithy
  • Member
  • Offline
  • Registered: 2013-12-10
  • Posts: 14

Re: HTTPS Wildcard: Subdomains problem

Okay, most are the defaults; mainly virtualhost, port, and subdomains changed.  Note: when setting a _default_:443, either subdomain DOES work; but need to have https on both.  Have a true wildcard certificate - *.domain.com.

SSL.conf

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

NameVirtualHost mail.domain.com:443
<VirtualHost mail.domain.com:443>
#<VirtualHost _default_:443> #this default value sends EVERYTHING to the same directory
ServerName mail.domain.com
DocumentRoot "/var/www/html" #index.html redirect to /mail
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/domain.crt
SSLCertificateKeyFile /etc/pki/tls/private/domainssh.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

(Then the default iRedmail aliases)

So basically the defaults, except switched out for a wildcard certificate, then set each virtual host to an actual virtual host name instead of _default_:443 or *:443 or *:80.

The best it will do is run one subdomain on both 80 and 443, but simply cannot run two different subdomains (one on 80 and 443, one only on 443), despite the seemingly correct directives being there.  NameVirtualHost always throws the "warn" error. 

welcome.conf

<VirtualHost *:80>
#<VirtualHost www.domain.com:80> #why doesn't this work?
      ServerName www.domain.com
      DocumentRoot /app/dir/public
      <Directory /app/dir/public>
         AllowOverride all
         Options -MultiViews -Indexes
         RailsEnv production
     </Directory>
</VirtualHost>

#NameVirtualHost www.domain.com:443 #results in "NameVirtualHost www.domain.com:443 has no VirtualHosts" 
<VirtualHost www.domain.com:443>

      ServerName www.domain.com
      # !!! Be sure to point DocumentRoot to 'public'!
      DocumentRoot /app/dir/public
      <Directory /app/dir/public>
         Options -MultiViews -Indexes
         RailsEnv production
     </Directory>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/domain.crt
SSLCertificateKeyFile /etc/pki/tls/private/domainssh.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: HTTPS Wildcard: Subdomains problem

Reference: http://wiki.apache.org/httpd/CommonMisc … interface.

5 Reply by cygni (edited by cygni 2014-04-14 09:06:07)

  • cygni
  • Member
  • Offline
  • Registered: 2013-09-29
  • Posts: 31

Re: HTTPS Wildcard: Subdomains problem

I hope the following example helps, assuming you have set the A/CNAME records:

ports.conf

NameVirtualHost 192.168.1.101:443
NameVirtualHost 192.168.1.101:80
NameVirtualHost 192.168.1.102:443
NameVirtualHost 192.168.1.102:80

Listen 192.168.1.101:80
Listen 192.168.1.102:80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 192.168.1.101:443
    Listen 192.168.1.102:443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 192.168.1.101:443
    Listen 192.168.1.102:443
</IfModule>

000-domain

<VirtualHost 192.168.1.101:80>
    ServerAdmin webmaster@domain.com
    ServerName domain.com
    ServerAlias www.domain.com

    DocumentRoot /var/www/domain
    
    <Directory /var/www/domain/>
        Options FollowSymLinks -MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    LogLevel warn

    ErrorLog /var/www/domain/logs/error.log
    CustomLog /var/www/domain/logs/access.log combined
</VirtualHost>


<IfModule mod_ssl.c>
<VirtualHost 192.168.1.101:443>
    ServerAdmin webmaster@domain.com
    ServerName domain.com
    ServerAlias www.domain.com

    DocumentRoot /var/www/domain
    
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/domain_chain.crt

    <Directory /var/www/domain/>
        Options FollowSymLinks -MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    LogLevel warn

    ErrorLog /var/www/domain/logs/error.log
    CustomLog /var/www/domain/logs/access.log combined
</VirtualHost>
</IfModule>

## MAIL ##
<VirtualHost 192.168.1.102:80>
        ServerAdmin webmaster@domain.com
        ServerName mail.domain.com
        ServerAlias www.mail.domain.com
        Redirect permanent / https://mail.domain.com
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost 192.168.1.102:443>
        ServerAdmin webmaster@domain.com
        ServerName mail.domain.com
        ServerAlias www.mail.domain.com

        DocumentRoot /usr/share/apache2/roundcubemail

        <Directory /usr/share/apache2/roundcubemail/>
                Options -Indexes FollowSymLinks -MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/domain_chain.crt
</VirtualHost>
</IfModule>

## PHPMYADMIN ##
<VirtualHost 192.168.1.102:80>
        ServerAdmin webmaster@domain.com
        ServerName phpmyadmin.domain.com
        ServerAlias www.phpmyadmin.domain.com
        Redirect permanent / https://phpmyadmin.domain.com
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost 192.168.1.102:443>
        ServerAdmin webmaster@domain.com
        ServerName phpmyadmin.domain.com
        ServerAlias www.phpmyadmin.domain.com

        DocumentRoot /usr/share/phpmyadmin
    
        <Directory /usr/share/phpmyadmin/>
                Options -Indexes FollowSymLinks -MultiViews
                AllowOverride None
                Order allow,deny
                allow from 192.168.1.103 192.168.1.104 #only allow these IPs to access this sub-domain
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/domain_chain.crt
</VirtualHost>
</IfModule>