|
|
(9 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
| {| width="100%" border="0"
| | #REDIRECT [[SSL_certificates_per_domain]] |
| | bgcolor=#FFFFAA | [[Image:officiallock2.png]] - This is '''official documentation''', and is protected for editing by Zimbra Employees only.
| |
| |}
| |
| | |
| = Introduction =
| |
| It may be required to provide SSL connections to the mailstore for more than one virtual host on a Zimbra server. While this is not natively possible with Tomcat, there is a workable solution with Apache and [[ZimbraApache|reverse proxy]] (mod_proxy). This configuration can work with or without setting Zimbra's domain "Virtual Host" parameter and can be a great substitution for managing SSL connections with Apache instead of Tomcat.
| |
| | |
| = Configure Zimbra =
| |
| $ su - zimbra
| |
| $ zmprov ms `zmhostname` zimbraMailMode http
| |
| $ zmprov ms `zmhostname` zimbraMailPort 8080
| |
| $ tomcat restart
| |
| | |
| = Use Zimbra's CA to Generate Self-Signed Certificates for Apache =
| |
| Create self-signed certificates for testing the configuration.
| |
| | |
| $ mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl
| |
| | |
| Create a certificate request.
| |
| $ openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
| |
| > -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf
| |
| | |
| Process the certificate request.
| |
| $ openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
| |
| > -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch
| |
| | |
| = Configure httpd =
| |
| | |
| Apache or Tomcat will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake. This is the major conundrum. Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation. Separate IP addresses or listener ports must be assigned to get around the problem.
| |
| | |
| /etc/httpd/conf/httpd.conf:
| |
| NameVirtualHost *:80
| |
| | |
| /etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:
| |
| ProxyRequests Off
| |
| <Proxy *>
| |
| Order deny,allow
| |
| Deny from all
| |
| Allow from all
| |
| </Proxy>
| |
| <nowiki></nowiki>
| |
| <VirtualHost 1.1.1.1:443>
| |
| ServerName zimbra.domaina.moc
| |
| ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| SSLEngine On
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
| |
| SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
| |
| SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
| |
| </VirtualHost>
| |
| <nowiki></nowiki>
| |
| <VirtualHost 1.1.1.2:443>
| |
| ServerName zimbra.domainb.moc
| |
| ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| SSLEngine On
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
| |
| SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
| |
| SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
| |
| </VirtualHost>
| |
| | |
| Alternate /etc/httpd/conf.d/zimbra_proxy.conf assigning separate SSL listener ports for each domain:
| |
| ProxyRequests Off
| |
| <Proxy *>
| |
| Order deny,allow
| |
| Deny from all
| |
| Allow from all
| |
| </Proxy>
| |
| <nowiki></nowiki>
| |
| Listen 1443
| |
| <VirtualHost _default_:1443>
| |
| ServerName zimbra.domaina.moc
| |
| ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| SSLEngine On
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
| |
| SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
| |
| SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
| |
| </VirtualHost>
| |
| <nowiki></nowiki>
| |
| Listen 2443
| |
| <VirtualHost _default_:2443>
| |
| ServerName zimbra.domainb.moc
| |
| ProxyPass / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| ProxyPassReverse / <nowiki>http://zimbra.domain.moc:8080/</nowiki>
| |
| SSLEngine On
| |
| SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
| |
| SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
| |
| SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
| |
| </VirtualHost>
| |
| | |
| If being forced to supply a port number is not desired, force a redirect using mod_rewrite in .htaccess files. Append to /etc/httpd/conf.d/zimbra_proxy.conf:
| |
| <VirtualHost *:80>
| |
| ServerName zimbra.domaina.moc
| |
| DocumentRoot "/var/www/domaina"
| |
| <Directory "/var/www/domaina">
| |
| AllowOverride Options FileInfo AuthConfig
| |
| </Directory>
| |
| </VirtualHost>
| |
| <nowiki></nowiki>
| |
| <VirtualHost *:80>
| |
| ServerName zimbra.domainb.moc
| |
| DocumentRoot "/var/www/domainb"
| |
| <Directory "/var/www/domainb">
| |
| AllowOverride Options FileInfo AuthConfig
| |
| </Directory>
| |
| </VirtualHost>
| |
| | |
| /var/www/domaina/.htaccess:
| |
| RewriteEngine On
| |
| RewriteCond %{SERVER_PORT} !1443
| |
| RewriteRule ^(.*)$ <nowiki>https://%{HTTP_HOST}:1443%{SERVER_URI}</nowiki>
| |
| | |
| /var/www/domainb/.htaccess:
| |
| RewriteEngine On
| |
| RewriteCond %{SERVER_PORT} !2443
| |
| RewriteRule ^(.*)$ <nowiki>https://%{HTTP_HOST}:2443%{SERVER_URI}</nowiki>
| |
| | |
| Be sure to restart httpd.
| |
| | |
| = Related Articles =
| |
| [[Commercial_Certificates|Commercial Certificates]]
| |
| | |
| [[SSL_Certificate_Problems|SSL Certificate Problems]]
| |
| | |
| ----
| |
| <br> Keywords: ''ssl , virtual hosts , ofzd''
| |
| | |
| {| class="toc" border="0" cellpadding="0" cellspacing="0" width=100%
| |
| | align="left" | <b>Article ID:</b> http://wiki.zimbra.com/index.php?title=Multiple_SSL_Virtual_Hosts
| |
| | align="right" | <strong>Date Created:</strong> May 23, 2007
| |
| | align="right" | <strong>Date Modified:</strong> August 2, 2007
| |
| |}
| |
| {| class="toc" border="0" cellpadding="0" cellspacing="0" width=100%
| |
| | align="left" | <b>Verified Against:</b> Zimbra Collaboration Suite 4.5.6
| |
| |}
| |
| | |
| [[Category: Virtual Hosting]]
| |
| [[Category: SSL]]
| |
| [[Category: Pending Certification]]
| |