Announcement

Collapse
No announcement yet.

Force /webmail, /roundcube, etc. to SSL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Force /webmail, /roundcube, etc. to SSL

    If you try to go to SiteWorx for a domain it will force you to SSL on port 2443. But if you try the same with webmail, it allows you to connect using HTTP. Is there a way to add this same redirect for /siteworx to all the webmail paths?

    Also, since most sites won't have SSL can it be redirected to a main domain I have an SSL for?
    Last edited by Justec; 01-07-2017, 02:25 PM.
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  • #2
    Hi Justin

    Yes, both of your requirements can be completed

    Sorry, I'm out with the family but from memory, webmail can be set in iworx.conf as it has been for nodeworx/siteworx and you can use whatever domain you choose. Usually server hostname I guess, which makes sense

    You could also just give out the hostname webmail for login

    If I have time tommorow when I'm back, I'll test it out

    Many thanks

    John

    Comment


    • #3
      Editing the iworx.conf in the "public httpd" area I was able to accomplish this to a degree.
      Code:
      RewriteRule ^/roundcube(/)?$ https://mycustomdomain.com:2443/roundcube/ [R,L]
      The only time this didn't work is if someone went to the URL with the 2080 port: http://customerdomain.com:2080/roundcube/
      With that 2080 in there, it would just load it non-secure.


      So then I added this to the iworx.conf
      Code:
      RewriteEngine on
      RewriteCond %{SERVER_PORT} 2080
      RewriteRule ^(.*)$ https://mycustomdomain.com:2443$1 [R,L]

      This didn't do anything, but then I realized that if you put in the 2080 port it is running on the interworx "private" http server.
      So I added that code into /home/interworx/etc/httpd/httpd-custom.conf, did an iworx restart and now it works.

      I know most people wouldn't put in 2080, but trying to make my server PCI Compliant and I think they have some links direct to that. I guess I could just disable 2080 listening port on the "private" iworx httpd.conf as well and that would work.
      [ JUSTIN ]
      [ OFF unit ]
      [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
      ]

      Comment


      • #4
        Hi Justin

        Many thanks

        My original thought was to have the same as /nodeworx or /siteworx, and set one up as /webmail, so it directs to your chosen site.

        This is based on the access to webmail, as in mydomain.url/webmail

        I have not tried this though sorry, and you have it working now, but would that work for horde and the other one

        Many thanks

        John

        Comment


        • #5
          I realize my post above was confusing because it was following my train of thought, let me break it down by each conf file and why what goes where. Please keep an eye out for System Apache vs Interworx Apache below, as this is key.

          iworx.conf
          Code:
          RewriteEngine on
          RewriteRule ^/siteworx(/)?$ https://%{HTTP_HOST}:2443/siteworx/\?domain=%{HTTP_HOST} [R,L]
          RewriteRule ^/nodeworx(/)?$ https://%{HTTP_HOST}:2443/nodeworx/ [R,L]
          RewriteRule ^/webmail(/)?$ https://%{HTTP_HOST}:2443/webmail/ [R,L]
          RewriteRule ^/roundcube(/)?$ https://maindomainwithssl.com:2443/roundcube/ [R,L]
          RewriteRule ^/horde(/)?$ https://maindomainwithssl.com:2443/horde/ [R,L]
          RewriteRule ^/squirrelmail(/)?$ https://maindomainwithssl.com:2443/squirrelmail/ [R,L]
          In addition to the ones that were there already, this will redirect...
          mydomain.url/roundcube maindomainwithssl:2443/roundcube
          mydomain.url/horde maindomainwithssl:2443/horde
          mydomain.url/squirrelmail maindomainwithssl:2443/squirrelmail

          So this is basically redirecting from standard System Apache (port HTTP 80 and HTTPS 443) to the Interworx Apache on port HTTPS 2443.

          The only time this doesn't work is if someone goes direct to a URL with port HTTP 2080 or HTTP 2443. When this happens someone is connecting directly to the Interworx setup and bypasses the iworx.conf.
          So in in the case of 2443 it doesn't really matter, they will get a certificate name mismatch, but it will be secure.
          But if they go to 2080, then they would be allowed to connect without being secure.

          To get around the 2080 problem I updated the Interworx Apache config file

          /home/interworx/etc/httpd/httpd-custom.conf
          Code:
          RewriteEngine on
          RewriteCond %{SERVER_PORT} 2080
          RewriteRule ^(.*)$ https://mycustomdomain.com:2443$1 [R,L]

          This tells the Interworx Apache that anything coming in on port 2080 will be redirected to 2443. Basically allowing connection on the standard Interworx HTTP port of 2080, but forcing it to the secure HTTPS 2443 before it can do anything.

          The other option is just disabling port 2080 on Interworx Apache so no one can connect insecurely in the first place.
          Last edited by Justec; 01-09-2017, 03:25 PM.
          [ JUSTIN ]
          [ OFF unit ]
          [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
          ]

          Comment


          • #6
            Thought I would start posting in here about the redirect issues from the previous thread.

            This works on 2 of our Interworx servers but doing the exact same on the 3rd no changes appear to happen. It will just directly go to the non-HTTPS version of roundcube for example. Even after cache clearing, checking different browsers and so on.

            Any ideas on that?


            Also,

            Is there a way to get it so if someone did: https://xx.domain.com/siteworx and nodeworx it would actually take them to the correct siteworx URL for HTTPS? At the moment it just goes to "Not found"

            but the non-https version will take it straight to the correct working HTTPS version.

            Comment


            • #7
              Not sure why one wouldn't work. If the server setup is the same as the others it should. Have you tried doing a reboot?

              On the other note, if I go to https://somedomain.com/siteworx it will redirect to my main domain that has SSL and show the login page.
              If I do https://sub.somedomain.com/siteworx it gives me a certificate error (before redirect), if I just say to ignore it, then the redirect goes through and I'm on the correct page.

              I'm really not sure why having a subdomain throws it off.
              [ JUSTIN ]
              [ OFF unit ]
              [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
              ]

              Comment


              • #8
                Hi Justin and Bertie

                I know https is handled differently to that of http, and I cannot test on live with a live domain, but would think the subdomain cert error is because the subdomain needs to match its SSL including private key with nodeworx SSL and siteworx hostname SSL, thereby all certs match
                I could be wrong though sorry.
                Many thanks
                John

                Comment


                • #9
                  Yeah we have never had Interworx installed just on a normal domain - It's always been a sub-domain so I'm not sure if it would work on that setup compared to what we have. The server hostname matches and we then use a wildcard SSL cert.

                  Comment


                  • #10
                    John, the difference here for me is the sub.domain.com not redirecting to the correct SSL domain, lets call it ssldomain.com.

                    If I do https://domainnossl.com/siteworx before I can even get a certificate error it redirects to https://ssldomain.com:2443/siteworx/...omainnossl.com as expected.

                    But do https://sub.domainnossl.com/siteworx and you get the error.
                    [ JUSTIN ]
                    [ OFF unit ]
                    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
                    ]

                    Comment


                    • #11
                      Hi Justin

                      Many thanks

                      Sorry, it's late here and just having a cold beer watching pbs American showing world trade centre 1, very interesting as we visited the WTC site in 2004 and paid our respects

                      I think I'm beginning to understand and just a thought, are subdomain handled the same way as subdomain SSL, which I guess so

                      On your test, does the subdomain match fully with the private key etc on the SSL

                      Have you tried with htaccess

                      I'll have to think about this a little more, but it's in the back of my mind that because it's https, some details are hidden to the logic, if that makes sense

                      Have a lovely night

                      Many thanks

                      John

                      Comment


                      • #12
                        Originally posted by d2d4j View Post
                        On your test, does the subdomain match fully with the private key etc on the SSL
                        In this example, the subdomain domain does not have SSL. It is supposed to redirect to the correct host which I've setup in NodeWorx SSL screen.
                        The redirect from https:// or http:// for a domain with no SSL works fine, but with the subdomain it doesn't redirect.

                        Not a big deal for me, but since it was brought up by Bertie I was trying to understand it.
                        [ JUSTIN ]
                        [ OFF unit ]
                        [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
                        ]

                        Comment


                        • #13
                          Don't know if this sheds any more light on the issue I posted. If I hash out the following in iworx.conf:
                          RewriteRule ^/siteworx(/)?$ https://%{HTTP_HOST}:2443/siteworx/\?domain=%{HTTP_HOST} [R,L]
                          RewriteRule ^/nodeworx(/)?$ https://%{HTTP_HOST}:2443/nodeworx/ [R,L]
                          Then http://xx.domain.com/siteworx or nodeworx will show:

                          Not Found

                          The requested URL /siteworx was not found on this server.



                          Which would be the same message when those rules are active and you went directly to the HTTPS version. But the non-HTTPS version would redirect you to a working SSL version: https://xx.domain.com:2443/siteworx/...yourdomain.com when the redirects are in place.

                          Note: This only happens to /siteworx and /nodeworx. Things like /webmail or /roundcube work perfectly.
                          Last edited by Bertie; 02-21-2017, 03:13 AM.

                          Comment


                          • #14
                            Hi Bertie

                            Many thanks

                            Hashing those redirects would cause a page not found, which is correct as the siteworx/nodeworx do not have these folders in the root directory.

                            The webmail worked still because you did not hash them out

                            As I said previous, with https, if the page or redirect does not exist, I believe it reverts to Apache https folder

                            A quick question, so apologies if I am wrong in advance, but on your rewrite rule, can you test using the actual suddomain url in full and not http_host for the server part, leaving domain=%(HTTP_HOST) [R,L]

                            Many thanks

                            John

                            Comment


                            • #15
                              Originally posted by d2d4j View Post
                              Hi Bertie

                              Many thanks

                              Hashing those redirects would cause a page not found, which is correct as the siteworx/nodeworx do not have these folders in the root directory.

                              The webmail worked still because you did not hash them out

                              As I said previous, with https, if the page or redirect does not exist, I believe it reverts to Apache https folder

                              A quick question, so apologies if I am wrong in advance, but on your rewrite rule, can you test using the actual suddomain url in full and not http_host for the server part, leaving domain=%(HTTP_HOST) [R,L]

                              Many thanks

                              John
                              Is this what you wanted me to try?

                              RewriteRule ^/siteworx(/)?$ https://xx.domain.com:2443/siteworx/\?domain=%{HTTP_HOST} [R,L]
                              RewriteRule ^/nodeworx(/)?$ https://cp2.domain.com:2443/nodeworx/ [R,L]

                              If so then the same issues occur.

                              Comment

                              Working...
                              X