Multiple SSL Virtual Hosts 5.0

Revision as of 13:17, 14 April 2008 by Olmsnj (talk | contribs) (New page: = Preface = See Multiple_SSL_Virtual_Hosts for a more complete article, for ZCS 4.5.<br /> Most of the below was taken from that article, with minor modifications to handle Zimbra 5.0 ...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Preface

See Multiple_SSL_Virtual_Hosts for a more complete article, for ZCS 4.5.
Most of the below was taken from that article, with minor modifications to handle Zimbra 5.0 (Jetty instead of Tomcat, broken "Change Password" button). Thus, most of the credit for the below belongs to that article. The following is not as complete as the above link, due to not having tested all the possible configurations listed in the above link, so only the below components have been tested in our environment and are known to work are listed below.


Introduction

It may be required to provide SSL connections to the mailstore for more than one virtual host on a Zimbra server. While this is not natively possible with Tomcat, there is a workable solution with Apache and reverse proxy (mod_proxy). This configuration can work with or without setting Zimbra's domain "Virtual Host" parameter and can be a great substitution for managing SSL connections with Apache instead of Jetty.

Configure Zimbra

$ su - zimbra
$ zmprov ms `zmhostname` zimbraMailMode http
$ zmprov ms `zmhostname` zimbraMailPort 8080
$ zmmailboxdctl restart

Use Zimbra's CA to Generate Self-Signed Certificates for Apache

Create self-signed certificates for testing the configuration.

$ mkdir /etc/httpd/conf/domaina_ssl; cd /etc/httpd/conf/domaina_ssl
(for SuSE/SLES): $ mkdir /etc/apache2/conf/domaina_ssl; cd /etc/apache2/conf/domaina_ssl

Create a certificate request.

$ openssl req -new -nodes -out host.zmb.moc.csr -keyout zimbra.domaina.moc.key \
> -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf

Process the certificate request.

$ openssl ca -out host.zmb.moc.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf \
> -in zimbra.domaina.moc.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch

Configure httpd/apache2

Apache or Jetty will not do name-based virtual hosting over SSL because the SSL layer is lower than the HTTP layer which results in the host header being read after the SSL handshake. This is the major conundrum. Please read http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts for a detailed explanation. Separate IP addresses or listener ports must be assigned to get around the problem.


The following configuration forces SSL sessions for all, regardless of http or https. The :80 VirtualHost entries are needed as only entering the :443 VirtualHosts appears to break the Change Password button in the Advanced Web Client which appears to need to connect, at least initially, via http. This can likely be modified to allow http and https connections if needed, similar to Zimbra "mixed" mode.


Note that for SLES/SuSE 10.x using the SLES/SuSE Apache package you need to substitute /etc/apache2/httpd.conf for /etc/httpd/conf/httpd.conf, and /etc/apache2 for many of the other /etc/httpd items. Or, just symlink it.

/etc/httpd/conf/httpd.conf:

NameVirtualHost *:80

/etc/httpd/conf.d/zimbra_proxy.conf assigning a separate IP for each virtual host:

ProxyRequests Off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from all
</Proxy>
<VirtualHost 1.1.1.1:443>
  ServerName zimbra.domaina.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt
</VirtualHost>
<VirtualHost 1.1.1.1:80>
  ServerName zimbra.domaina.moc
  Redirect / https://zimbra.domaina.moc/
</VirtualHost>
<VirtualHost 1.1.1.2:443>
  ServerName zimbra.domainb.moc
  ProxyPass / http://zimbra.domain.moc:8080/
  ProxyPassReverse / http://zimbra.domain.moc:8080/
  SSLEngine On
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key
  SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt
</VirtualHost>
<VirtualHost 1.1.1.2:80>
  ServerName zimbra.domainb.moc
  Redirect / https://zimbra.domainb.moc/
</VirtualHost>

- Be sure to restart httpd.

Jump to: navigation, search