Multiple SSL Virtual Hosts 5.0

Revision as of 10:11, 29 July 2009 by Matt (talk | contribs)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Preface

See Multiple_SSL_Virtual_Hosts for a more complete article, for ZCS 4.5.
Most of the below was taken from that article, with minor modifications to handle Zimbra 5.0 (Jetty instead of Tomcat, broken "Change Password" button). Thus, most of the credit for the below belongs to that article. The following is not as complete as the above link, due to not having tested all the possible configurations listed in the above link, so only the below components have been tested in our environment and are known to work are listed below.


Introduction

It may be required to provide SSL connections to the mailstore for more than one virtual host on a Zimbra server. While this is not natively possible with Tomcat, there is a workable solution with Apache and reverse proxy (mod_proxy). This configuration can work with or without setting Zimbra's domain "Virtual Host" parameter and can be a great substitution for managing SSL connections with Apache instead of Jetty.

Configure Zimbra

$ su - zimbra
$ zmprov ms `zmhostname` zimbraMailMode http
$ zmprov ms `zmhostname` zimbraMailPort 8080
$ zmmailboxdctl restart

Use Zimbra's CA to Generate Self-Signed Certificates for Apache

Create self-signed certificates for testing the configuration.

$ mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl
(for SuSE/SLES): $ mkdir /etc/apache2/conf/domaina_ssl; cd /etc/apache2/conf/domaina_ssl

Create a certificate request.

$ openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
> -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf

Process the certificate request.

$ openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
> -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch

Configure httpd/apache2

Apache or Jetty will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake. This is the major conundrum. Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation. Separate IP addresses or listener ports must be assigned to get around the problem.


The following configuration forces SSL sessions for all, regardless of http or https. The :80 VirtualHost entries are needed as only entering the :443 VirtualHosts appears to break the Change Password button in the Advanced Web Client which appears to need to connect, at least initially, via http. This can likely be modified to allow http and https connections if needed, similar to Zimbra "mixed" mode.


Note that for SLES/SuSE 10.x using the SLES/SuSE Apache package you need to substitute /etc/apache2/httpd.conf for /etc/httpd/conf/httpd.conf, and /etc/apache2 for many of the other /etc/httpd items. Or, just symlink it.

/etc/httpd/conf/httpd.conf:

NameVirtualHost *:80

/etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:

ProxyRequests Off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from all
</Proxy>
<VirtualHost 1.1.1.1:443>
  ServerName zimbra.domaina.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>
<VirtualHost 1.1.1.1:80>
  ServerName zimbra.domaina.moc
  Redirect / https://zimbra.domaina.moc/
</VirtualHost>
<VirtualHost 1.1.1.2:443>
  ServerName zimbra.domainb.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
  SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
</VirtualHost>
<VirtualHost 1.1.1.2:80>
  ServerName zimbra.domainb.moc
  Redirect / https://zimbra.domainb.moc/
</VirtualHost>

- Be sure to restart httpd.

Alternative solution using Zimbra proxy

This is a general overview of the process and is not a step by step configuration guide. Apologies for it not being more specific but I'm writing this process from memory.


- Install two Zimbra-proxy servers and make sure they're working correctly (handling logins, directing users to the correct mailbox backend, etc). A single zimbra-proxy can be used if you don't wish to configure heartbeat.

- Copy the configuration files from /opt/zimbra/nginx/conf and /opt/zimbra/conf/nginx somewhere safe.

- Stop zimbra and disable it from running at startup.

- Install nginx (eg yum install nginx) but don't run it.

- Install heartbeat and configure it with the correct HA IP addresses.

- Check failover between the two Zimbra-proxy servers is working correctly (IP addresses being transferred, etc).

- Edit /etc/nginx/nginx.conf.main and set "user zimbra zimbra;".

- Edit the nginx init script (/etc/init.d/nginx) and set nginx="/opt/zimbra/nginx/sbin/nginx" since we need to use the Zimbra version of nginx.

- Make sure /etc/nginx/nginx.conf.memcache and nginx.conf exist (use copied config files from earlier).

- Create directories within /etc/nginx for each of the virtual hosts you'd like to handle. Copy into these the "includes" config directory you copied earlier.

- Edit the files within each virtual hosts includes directory so they contain the correct path, IP address and certificate details. Obviously each virtual host should use a unique IP address handled by heartbeat.

- Edit /etc/nginx/nginx.conf and add include entries for each of your virtual hosts /etc/nginx/{domain}/includes/nginx.conf.mail and /etc/nginx/{domain}/includes/nginx.conf.web.

- You may need to edit the nginx init script so it creates /opt/zimbra/log/nginx.pid and sets ownership to zimbra.

- Start nginx (not via zimbra but with /etc/init.d/nginx) and each virtual domain should now be working with its own ssl certificate.

- Configure heartbeat to stop and start nginx accordingly when failover occurs.

- Be sure to check log rotation is working on the nginx.log and nginx.access.log in /opt/zimbra/logs. These logs grow quickly and if the pid file is not created (mentioned earlier) log rotation will break.


Some notes:

- Access is still required directly to the Zimbra mailbox servers for certain operations. Make sure connections are possible directly to tcp port 8080 (assuming you haven't changed the port) on each mailbox server.

- Zimbra proxy does not currently support IM. You can allow direct access to the Zimbra mailbox servers on tcp ports 5222 and 5223 but obviously this won't support multiple SSL certificates and requires users know the mailbox server their account resides on.

- This alternative solution does not support Zimbra Admin but this can easily be added using Apache as a reverse proxy (configured multiple times for each of the virtual hosts).


Keywords: ssl , virtual hosts, proxy

Verified Against: ZCS 5.0.x Date Created: 4/14/2008
Article ID: https://wiki.zimbra.com/index.php?title=Multiple_SSL_Virtual_Hosts_5.0 Date Modified: 2009-07-29



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search