Multiple SSL Virtual Hosts: Difference between revisions

No edit summary
 
No edit summary
Line 1: Line 1:
[[ZimbraApache|Reverse proxy configuration]]
[[ZimbraApache|Reverse proxy configuration]]
==== Use Zimbra's CA to Generate Self-Signed Certificates for Apache ====
# mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl
Create a certificate request.
# openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
> -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf
Process the certificate request
# openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
> -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch
==== Configure httpd ====
Apache or Tomcat will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake.  This is the major conundrum.  Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation.  Separate IP addresses or listener ports must be assigned to get around the problem.
/etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:
ProxyRequests Off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from all
</Proxy>
<VirtualHost 1.1.1.1:443>
  ServerName zimbra.domaina.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>
Listen 2443
<VirtualHost 1.1.1.2:443>
  ServerName zimbra.domainb.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
  SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
</VirtualHost>
Alternate /etc/httpd/conf.d/zimbra_proxy.conf assigning separate SSL listener ports for each domain:
ProxyRequests Off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from all
</Proxy>
Listen 1443
<VirtualHost *:1443>
  ServerName zimbra.domaina.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>
Listen 2443
<VirtualHost *:2443>
  ServerName zimbra.domainb.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
  SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
</VirtualHost>

Revision as of 21:39, 23 May 2007

Reverse proxy configuration

Use Zimbra's CA to Generate Self-Signed Certificates for Apache

# mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl

Create a certificate request.

# openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
> -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf

Process the certificate request

# openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
> -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch

Configure httpd

Apache or Tomcat will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake. This is the major conundrum. Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation. Separate IP addresses or listener ports must be assigned to get around the problem.

/etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:

ProxyRequests Off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from all
</Proxy>
<VirtualHost 1.1.1.1:443>
  ServerName zimbra.domaina.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>
Listen 2443
<VirtualHost 1.1.1.2:443>
  ServerName zimbra.domainb.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
  SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
</VirtualHost>

Alternate /etc/httpd/conf.d/zimbra_proxy.conf assigning separate SSL listener ports for each domain:

ProxyRequests Off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from all
</Proxy>
Listen 1443
<VirtualHost *:1443>
  ServerName zimbra.domaina.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>
Listen 2443
<VirtualHost *:2443>
  ServerName zimbra.domainb.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
  SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
</VirtualHost>
Jump to: navigation, search