Multiple SSL Virtual Hosts: Difference between revisions
No edit summary |
No edit summary |
||
Line 24: | Line 24: | ||
Allow from all | Allow from all | ||
</Proxy> | </Proxy> | ||
<nowiki></nowiki> | |||
<VirtualHost 1.1.1.1:443> | <VirtualHost 1.1.1.1:443> | ||
ServerName zimbra.domaina.moc | ServerName zimbra.domaina.moc | ||
ProxyPass / http://zimbra.domain.moc:8080/ | ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki> | ||
ProxyPassReverse / http://zimbra.domain.moc:8080/ | ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki> | ||
SSLEngine On | SSLEngine On | ||
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP | SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP | ||
Line 33: | Line 34: | ||
SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt | SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt | ||
</VirtualHost> | </VirtualHost> | ||
<nowiki></nowiki> | |||
Listen 2443 | Listen 2443 | ||
<VirtualHost 1.1.1.2:443> | <VirtualHost 1.1.1.2:443> | ||
ServerName zimbra.domainb.moc | ServerName zimbra.domainb.moc | ||
ProxyPass / http://zimbra.domain.moc:8080/ | ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki> | ||
ProxyPassReverse / http://zimbra.domain.moc:8080/ | ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki> | ||
SSLEngine On | SSLEngine On | ||
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP | SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP | ||
Line 51: | Line 53: | ||
Allow from all | Allow from all | ||
</Proxy> | </Proxy> | ||
<nowiki></nowiki> | |||
Listen 1443 | Listen 1443 | ||
<VirtualHost *:1443> | <VirtualHost *:1443> | ||
ServerName zimbra.domaina.moc | ServerName zimbra.domaina.moc | ||
ProxyPass / http://zimbra.domain.moc:8080/ | ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki> | ||
ProxyPassReverse / http://zimbra.domain.moc:8080/ | ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki> | ||
SSLEngine On | SSLEngine On | ||
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP | SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP | ||
Line 61: | Line 64: | ||
SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt | SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt | ||
</VirtualHost> | </VirtualHost> | ||
<nowiki></nowiki> | |||
Listen 2443 | Listen 2443 | ||
<VirtualHost *:2443> | <VirtualHost *:2443> | ||
ServerName zimbra.domainb.moc | ServerName zimbra.domainb.moc | ||
ProxyPass / http://zimbra.domain.moc:8080/ | ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki> | ||
ProxyPassReverse / http://zimbra.domain.moc:8080/ | ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki> | ||
SSLEngine On | SSLEngine On | ||
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP | SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP |
Revision as of 21:56, 23 May 2007
Use Zimbra's CA to Generate Self-Signed Certificates for Apache
# mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl
Create a certificate request.
# openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \ > -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf
Process the certificate request
# openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \ > -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch
Configure httpd
Apache or Tomcat will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake. This is the major conundrum. Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation. Separate IP addresses or listener ports must be assigned to get around the problem.
/etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:
ProxyRequests Off <Proxy *> Order deny,allow Deny from all Allow from all </Proxy> <VirtualHost 1.1.1.1:443> ServerName zimbra.domaina.moc ProxyPass / http://zimbra.domain.moc:8080/ ProxyPassReverse / http://zimbra.domain.moc:8080/ SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt </VirtualHost> Listen 2443 <VirtualHost 1.1.1.2:443> ServerName zimbra.domainb.moc ProxyPass / http://zimbra.domain.moc:8080/ ProxyPassReverse / http://zimbra.domain.moc:8080/ SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt </VirtualHost>
Alternate /etc/httpd/conf.d/zimbra_proxy.conf assigning separate SSL listener ports for each domain:
ProxyRequests Off <Proxy *> Order deny,allow Deny from all Allow from all </Proxy> Listen 1443 <VirtualHost *:1443> ServerName zimbra.domaina.moc ProxyPass / http://zimbra.domain.moc:8080/ ProxyPassReverse / http://zimbra.domain.moc:8080/ SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt </VirtualHost> Listen 2443 <VirtualHost *:2443> ServerName zimbra.domainb.moc ProxyPass / http://zimbra.domain.moc:8080/ ProxyPassReverse / http://zimbra.domain.moc:8080/ SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt </VirtualHost>