Force /webmail, /roundcube, etc. to SSL

If you try to go to SiteWorx for a domain it will force you to SSL on port 2443. But if you try the same with webmail, it allows you to connect using HTTP. Is there a way to add this same redirect for /siteworx to all the webmail paths?

Also, since most sites won’t have SSL can it be redirected to a main domain I have an SSL for?

Hi Justin

Yes, both of your requirements can be completed

Sorry, I’m out with the family but from memory, webmail can be set in iworx.conf as it has been for nodeworx/siteworx and you can use whatever domain you choose. Usually server hostname I guess, which makes sense

You could also just give out the hostname webmail for login

If I have time tommorow when I’m back, I’ll test it out

Many thanks

John

Editing the iworx.conf in the “public httpd” area I was able to accomplish this to a degree.


RewriteRule ^/roundcube(/)?$ https://mycustomdomain.com:2443/roundcube/ [R,L]

The only time this didn’t work is if someone went to the URL with the 2080 port: http://customerdomain.com:2080/roundcube/
With that 2080 in there, it would just load it non-secure.

So then I added this to the iworx.conf


RewriteEngine on
RewriteCond %{SERVER_PORT} 2080
RewriteRule ^(.*)$ https://mycustomdomain.com:2443$1 [R,L]

This didn’t do anything, but then I realized that if you put in the 2080 port it is running on the interworx “private” http server.
So I added that code into /home/interworx/etc/httpd/httpd-custom.conf, did an iworx restart and now it works.

I know most people wouldn’t put in 2080, but trying to make my server PCI Compliant and I think they have some links direct to that. I guess I could just disable 2080 listening port on the “private” iworx httpd.conf as well and that would work.

Hi Justin

Many thanks

My original thought was to have the same as /nodeworx or /siteworx, and set one up as /webmail, so it directs to your chosen site.

This is based on the access to webmail, as in mydomain.url/webmail

I have not tried this though sorry, and you have it working now, but would that work for horde and the other one

Many thanks

John

I realize my post above was confusing because it was following my train of thought, let me break it down by each conf file and why what goes where. Please keep an eye out for System Apache vs Interworx Apache below, as this is key.

iworx.conf


RewriteEngine on
RewriteRule ^/siteworx(/)?$ https://%{HTTP_HOST}:2443/siteworx/\?domain=%{HTTP_HOST} [R,L]
RewriteRule ^/nodeworx(/)?$ https://%{HTTP_HOST}:2443/nodeworx/ [R,L]
RewriteRule ^/webmail(/)?$ https://%{HTTP_HOST}:2443/webmail/ [R,L]
RewriteRule ^/roundcube(/)?$ https://maindomainwithssl.com:2443/roundcube/ [R,L]
RewriteRule ^/horde(/)?$ https://maindomainwithssl.com:2443/horde/ [R,L]
RewriteRule ^/squirrelmail(/)?$ https://maindomainwithssl.com:2443/squirrelmail/ [R,L]

In addition to the ones that were there already, this will redirect…
mydomain.url/roundcube maindomainwithssl:2443/roundcube
mydomain.url/horde maindomainwithssl:2443/horde
mydomain.url/squirrelmail maindomainwithssl:2443/squirrelmail

So this is basically redirecting from standard System Apache (port HTTP 80 and HTTPS 443) to the Interworx Apache on port HTTPS 2443.

The only time this doesn’t work is if someone goes direct to a URL with port HTTP 2080 or HTTP 2443. When this happens someone is connecting directly to the Interworx setup and bypasses the iworx.conf.
So in in the case of 2443 it doesn’t really matter, they will get a certificate name mismatch, but it will be secure.
But if they go to 2080, then they would be allowed to connect without being secure.

To get around the 2080 problem I updated the Interworx Apache config file

/home/interworx/etc/httpd/httpd-custom.conf


RewriteEngine on
RewriteCond %{SERVER_PORT} 2080
RewriteRule ^(.*)$ https://mycustomdomain.com:2443$1 [R,L]

This tells the Interworx Apache that anything coming in on port 2080 will be redirected to 2443. Basically allowing connection on the standard Interworx HTTP port of 2080, but forcing it to the secure HTTPS 2443 before it can do anything.

The other option is just disabling port 2080 on Interworx Apache so no one can connect insecurely in the first place.

Not sure why one wouldn’t work. If the server setup is the same as the others it should. Have you tried doing a reboot?

On the other note, if I go to https://somedomain.com/siteworx it will redirect to my main domain that has SSL and show the login page.
If I do https://sub.somedomain.com/siteworx it gives me a certificate error (before redirect), if I just say to ignore it, then the redirect goes through and I’m on the correct page.

I’m really not sure why having a subdomain throws it off.

Hi Justin and Bertie

I know https is handled differently to that of http, and I cannot test on live with a live domain, but would think the subdomain cert error is because the subdomain needs to match its SSL including private key with nodeworx SSL and siteworx hostname SSL, thereby all certs match
I could be wrong though sorry.
Many thanks
John

John, the difference here for me is the sub.domain.com not redirecting to the correct SSL domain, lets call it ssldomain.com.

If I do https://domainnossl.com/siteworx before I can even get a certificate error it redirects to https://ssldomain.com:2443/siteworx/?domain=domainnossl.com as expected.

But do https://sub.domainnossl.com/siteworx and you get the error.

Hi Justin

Many thanks

Sorry, it’s late here and just having a cold beer watching pbs American showing world trade centre 1, very interesting as we visited the WTC site in 2004 and paid our respects

I think I’m beginning to understand and just a thought, are subdomain handled the same way as subdomain SSL, which I guess so

On your test, does the subdomain match fully with the private key etc on the SSL

Have you tried with htaccess

I’ll have to think about this a little more, but it’s in the back of my mind that because it’s https, some details are hidden to the logic, if that makes sense

Have a lovely night

Many thanks

John

In this example, the subdomain domain does not have SSL. It is supposed to redirect to the correct host which I’ve setup in NodeWorx SSL screen.
The redirect from https:// or http:// for a domain with no SSL works fine, but with the subdomain it doesn’t redirect.

Not a big deal for me, but since it was brought up by Bertie I was trying to understand it.

Hi Bertie

Many thanks

Hashing those redirects would cause a page not found, which is correct as the siteworx/nodeworx do not have these folders in the root directory.

The webmail worked still because you did not hash them out

As I said previous, with https, if the page or redirect does not exist, I believe it reverts to Apache https folder

A quick question, so apologies if I am wrong in advance, but on your rewrite rule, can you test using the actual suddomain url in full and not http_host for the server part, leaving domain=%(HTTP_HOST) [R,L]

Many thanks

John

Hi Bertie

Many thanks, yes that was what I was asking and sorry it did not work

It goes to page unknown because it does not exist - https handles things differently

I would think (and apologies, I’m losing site of issue) if you put the redirects also in the vhost file, that it may work and trigger correctly, but I cannot test it as I do not have a test server set using a sub domain

Many thanks

John

Hi Bertie

Many thanks and I have PM you with 2 test domains. If you could post if they work as you expect and if so, I will post exactly how I did it

John

Hi Bertie

Many thanks, seem your pm so will update when I?m back later today or tomorrow if alright

Many thanks

John

Hi Bertie

Please see the change that I made to iworx.com, so SSH into server and either run as root or su

vi /etc/httpd/conf.d/iworx.conf

RewriteRule ^/siteworx(/)?$ https://myserver.url:2443/siteworx/?domain=%{HTTP_HOST} [R,L]
RewriteRule ^/nodeworx(/)?$ https://myserver.url:2443/nodeworx/ [R,L]
RewriteRule ^/webmail(/)?$ https://myserver.url:2443/webmail/ [R,L]
RewriteRule ^/roundcube(/)?$ https://myserver.url:2443/roundcube/ [R,L]
RewriteRule ^/horde(/)?$ https://myserver.url:2443/horde/ [R,L]
RewriteRule ^/squirrelmail(/)?$ https://myserver.url:2443/squirrelmail/ [R,L]

Please note myserver.url would be changed to your nodeworx URL domain, which lets say you use
mynwdomain.co.uk as your main Interworx server FQDN for nodeworx/siteworx/webmail and it has a SSL (which you can use Lets Encrypt for SSL), the additions would be as follows

RewriteRule ^/siteworx(/)?$ https://mynwdomain.co.uk:2443/siteworx/?domain=%{HTTP_HOST} [R,L]
RewriteRule ^/nodeworx(/)?$ https://mynwdomain.co.uk:2443/nodeworx/ [R,L]
RewriteRule ^/webmail(/)?$ https://mynwdomain.co.uk:2443/webmail/ [R,L]
RewriteRule ^/roundcube(/)?$ https://mynwdomain.co.uk:2443/roundcube/ [R,L]
RewriteRule ^/horde(/)?$ https://mynwdomain.co.uk:2443/horde/ [R,L]
RewriteRule ^/squirrelmail(/)?$ https://mynwdomain.co.uk:2443/squirrelmail/ [R,L]

Please either then reboot server, or restart interworx (service iworx restart) and restart apache (service httpd restart), then test but you may have to clear browser cache first

I hope that helps

Many thanks

John

Hi Bertie

Many thanks

I have changed one of our servers as test, to make sure if subdomain rewrites works as expected.

There is a SSL cert error warning, as I have not changed IW SSL certs (just needed to check the rewrite on http and https)

This works lovely, so I will PM you the domains to test yourself if alright.

What version of IW and distro are you using

Is the DNS correctly setup

did you restart iworx and Apache (or restart server) as both iworx and Apache need restarting for changes to happen

Many thanks

John

Hi Bertie

Many thanks

They should not be able to unless using 2080, and if you want to stop that, justec posted earlier on thread a how to

I would try deleting your hash redirects, saving and restarting iWorx and Apache. Actually if restarting, do you get any errors

The only other thing I could think right now is are there any other redirects setup anywhere or are you load balancing or running through a proxy

Is the issue that http://mydomain.url/siteworx not redirecting to https//myserver.url:/443/siteworx but to http://myserver.url:2080/siteworx

Is that correct

On my test, does it work correctly as expected

Many thanks

John

Hi Bertie

Many thanks

Your settings look to be correct so should just work

I am not sure why the port numbers are not been displayed. Perhaps this points to some port number changes, and if using main server url for webmail, requires the port /2443

I would fully restart the server, clear browser cache and test

If this does not resolve issue, as it needs more information and correct domain url to be given, which you do not want to do on the forum, I would open a support ticket and let IW have a proper look to see what?s happening/going wrong

To be sure I had set our test up correctly, I have changed IW-CP ssl certs so there is no error on SSL and it still works lovely

If you could update thread it would be appreciated

Many thanks

John

Hi Bertie

Many thanks and answer same as you have found, except when using /roundcube /horde, then it works

Could you add your server FQDN as a siteworx account and then using vhost file to auto change to https

I can post later the detail you need for this http to https using vhost file for domain

This then may well work or not, but it is worth a try

Many thanks

John

Hi Bertie

Many thanks and please see below for http to https for vhost file

RewriteEngine On
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This I place between the following lines

ServerAdmin [email protected]

RewriteEngine On
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

subdomain logic

You need to restart apache for this to come live

I was thinking though, prior to adding the server FQDN as a siteworx account, if you just browse to your server FQDn, it takes you to the siteworx login page, which should not happen.

Are you sure you have not made any other changes anywhere

Apologies if I am wrong and it is default action, but I do not think it is

so if you browse to http://my.server.url this then I am sure took me to http://my.server.url/siteworx

Sorry, just checking and it appears to be working lovely now when browsing to http://my.server.url, it is going to https://my.server.url/nodeworx, and if trying http://my.server.url/siteworx goes to https://my.server.url/siteworx

port 2080 shows page cannot be displayed

Please, what have you changed

I hope that makes sense

Many thanks

John