Multiple SSL Virtual Hosts: Difference between revisions

No edit summary
No edit summary
Line 1: Line 1:
[[ZimbraApache|Reverse proxy configuration]]
[[ZimbraApache|Reverse proxy configuration]]
==== Configure Zimbra ====
$ su - zimbra
$ zmprov ms `zmhostname` zimbraMailMode http
$ zmprov ms `zmhostname` zimbraMailPort 8080


==== Use Zimbra's CA to Generate Self-Signed Certificates for Apache ====
==== Use Zimbra's CA to Generate Self-Signed Certificates for Apache ====
   
   
  # mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl
  $ mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl


Create a certificate request.
Create a certificate request.
  # openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
  $ openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
  > -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf
  > -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf


Process the certificate request
Process the certificate request
  # openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
  $ openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
  > -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch
  > -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch



Revision as of 01:05, 24 May 2007

Reverse proxy configuration

Configure Zimbra

$ su - zimbra
$ zmprov ms `zmhostname` zimbraMailMode http
$ zmprov ms `zmhostname` zimbraMailPort 8080

Use Zimbra's CA to Generate Self-Signed Certificates for Apache

$ mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl

Create a certificate request.

$ openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
> -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf

Process the certificate request

$ openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
> -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch

Configure httpd

Apache or Tomcat will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake. This is the major conundrum. Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation. Separate IP addresses or listener ports must be assigned to get around the problem.

/etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:

ProxyRequests Off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from all
</Proxy>

<VirtualHost 1.1.1.1:443>
  ServerName zimbra.domaina.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>

<VirtualHost 1.1.1.2:443>
  ServerName zimbra.domainb.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
  SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
</VirtualHost>

Alternate /etc/httpd/conf.d/zimbra_proxy.conf assigning separate SSL listener ports for each domain:

ProxyRequests Off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from all
</Proxy>

Listen 1443
<VirtualHost *:1443>
  ServerName zimbra.domaina.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>

Listen 2443
<VirtualHost *:2443>
  ServerName zimbra.domainb.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
  SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
</VirtualHost>
Jump to: navigation, search