|
|
(21 intermediate revisions by 6 users not shown) |
Line 1: |
Line 1: |
| [[ZimbraApache|Reverse proxy configuration]] | | #REDIRECT [[SSL_certificates_per_domain]] |
| | |
| ==== Use Zimbra's CA to Generate Self-Signed Certificates for Apache ====
| |
|
| |
| # mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl
| |
| | |
| Create a certificate request.
| |
| # openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
| |
| > -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf
| |
| | |
| Process the certificate request
| |
| # openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
| |
| > -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch
| |
| | |
| ==== Configure httpd ====
| |
| | |
| Apache or Tomcat will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake. This is the major conundrum. Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation. Separate IP addresses or listener ports must be assigned to get around the problem.
| |
| | |
| /etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:
| |
| ProxyRequests Off
| |
| <Proxy *>
| |
| Order deny,allow
| |
| Deny from all
| |
| Allow from all
| |
| </Proxy>
| |
| <nowiki></nowiki>
| |
| <VirtualHost 1.1.1.1:443>
| |
| ServerName zimbra.domaina.moc
| |
| ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| SSLEngine On
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
| |
| SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
| |
| SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
| |
| </VirtualHost>
| |
| <nowiki></nowiki>
| |
| Listen 2443
| |
| <VirtualHost 1.1.1.2:443>
| |
| ServerName zimbra.domainb.moc
| |
| ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| SSLEngine On
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
| |
| SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
| |
| SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
| |
| </VirtualHost>
| |
| | |
| Alternate /etc/httpd/conf.d/zimbra_proxy.conf assigning separate SSL listener ports for each domain:
| |
| ProxyRequests Off
| |
| <Proxy *>
| |
| Order deny,allow
| |
| Deny from all
| |
| Allow from all
| |
| </Proxy>
| |
| <nowiki></nowiki>
| |
| Listen 1443
| |
| <VirtualHost *:1443>
| |
| ServerName zimbra.domaina.moc
| |
| ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| SSLEngine On
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
| |
| SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
| |
| SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
| |
| </VirtualHost>
| |
| <nowiki></nowiki>
| |
| Listen 2443
| |
| <VirtualHost *:2443>
| |
| ServerName zimbra.domainb.moc
| |
| ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| SSLEngine On
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
| |
| SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
| |
| SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
| |
| </VirtualHost>
| |