Multiple SSL Virtual Hosts 5.0
See Multiple_SSL_Virtual_Hosts for a more complete article, for ZCS 4.5.
Most of the below was taken from that article, with minor modifications to handle Zimbra 5.0 (Jetty instead of Tomcat, broken "Change Password" button). Thus, most of the credit for the below belongs to that article. The following is not as complete as the above link, due to not having tested all the possible configurations listed in the above link, so only the below components have been tested in our environment and are known to work are listed below.
It may be required to provide SSL connections to the mailstore for more than one virtual host on a Zimbra server. While this is not natively possible with Tomcat, there is a workable solution with Apache and reverse proxy (mod_proxy). This configuration can work with or without setting Zimbra's domain "Virtual Host" parameter and can be a great substitution for managing SSL connections with Apache instead of Jetty.
$ su - zimbra $ zmprov ms `zmhostname` zimbraMailMode http $ zmprov ms `zmhostname` zimbraMailPort 8080 $ zmmailboxdctl restart
Use Zimbra's CA to Generate Self-Signed Certificates for Apache
Create self-signed certificates for testing the configuration.
$ mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl (for SuSE/SLES): $ mkdir /etc/apache2/conf/domaina_ssl; cd /etc/apache2/conf/domaina_ssl
Create a certificate request.
$ openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \ > -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf
Process the certificate request.
$ openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \ > -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch
Apache or Jetty will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake. This is the major conundrum. Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation. Separate IP addresses or listener ports must be assigned to get around the problem.
The following configuration forces SSL sessions for all, regardless of http or https. The :80 VirtualHost entries are needed as only entering the :443 VirtualHosts appears to break the Change Password button in the Advanced Web Client which appears to need to connect, at least initially, via http. This can likely be modified to allow http and https connections if needed, similar to Zimbra "mixed" mode.
Note that for SLES/SuSE 10.x using the SLES/SuSE Apache package you need to substitute /etc/apache2/httpd.conf for /etc/httpd/conf/httpd.conf, and /etc/apache2 for many of the other /etc/httpd items. Or, just symlink it.
/etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:
ProxyRequests Off <Proxy *> Order deny,allow Deny from all Allow from all </Proxy>
<VirtualHost 188.8.131.52:443> ServerName zimbra.domaina.moc ProxyPass / http://zimbra.domain.moc:8080/ ProxyPassReverse / http://zimbra.domain.moc:8080/ SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt </VirtualHost>
<VirtualHost 184.108.40.206:80> ServerName zimbra.domaina.moc Redirect / https://zimbra.domaina.moc/ </VirtualHost>
<VirtualHost 220.127.116.11:443> ServerName zimbra.domainb.moc ProxyPass / http://zimbra.domain.moc:8080/ ProxyPassReverse / http://zimbra.domain.moc:8080/ SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt </VirtualHost>
<VirtualHost 18.104.22.168:80> ServerName zimbra.domainb.moc Redirect / https://zimbra.domainb.moc/ </VirtualHost>
- Be sure to restart httpd.