If anyone’s interested here’s what I did to bypass the ports and do an automatic redirect to https.
Our Iworx-CP runs on a host that we can call iworx.domain.tld for now.
First I added 2 more hosts to our domains dns conf (siteworx.domain.tld and nodeworx.domain.tld)
I created a SSL server cert for *.domain.tld at cacert.org
In /etc/httpd/conf.d/ssl.conf I added 3 vhosts and a NameVirtualHost directive:
NameVirtualHost <primary_public_ip>:443
#iworx.domain.tld ##
<VirtualHost <primary_public_ip>:443>
ServerAdmin webmaster@domain.tld
DocumentRoot /var/www/html
ServerName iworx.domain.tld
ErrorLog logs/iworx.domain.tld-error_log
CustomLog logs/iworx.domain.tld-access_log common
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.tld.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.tld.key
</VirtualHost>
##siteworx.domain.tld ##
<VirtualHost <primary_public_ip>:443>
ServerAdmin webmaster@domain.tld
DocumentRoot /var/www/html
ServerName siteworx.domain.tld
ErrorLog logs/siteworx.domain.tld-error_log
CustomLog logs/siteworx.domain.tld-access_log common
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.tld.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.tld.key
SSLProxyEngine On
ProxyPreserveHost On
ProxyPass / https://iworx.domain.tld:2443/siteworx/
ProxyPassReverse / https://iworx.domain.tld:2443/siteworx/
</VirtualHost>
##nodeworx.domain.tld ##
<VirtualHost <primary_public_ip>:443>
ServerAdmin webmaster@domain.tld
DocumentRoot /var/www/html
ServerName nodeworx.domain.tld
ErrorLog logs/nodeworx.domain.tld-error_log
CustomLog logs/nodeworx.domain.tld-access_log common
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain.tld.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain.tld.key
I also changed /home/interworx/etc/httpd/httpd-custom.conf to point at the domain.tld crt and key files
In /etc/httpd/conf.d/domain.tld.conf I added ProxyPass directives and standard vhosts with redirect to https for the above except for iworx.domain.tld where we show some info which do not need to use https:
#iworx.domain.tld ##
<VirtualHost <primary_public_ip>:80>
ServerAdmin webmaster@domain.tld
DocumentRoot /var/www/html
ServerName iworx.domain.tld
ErrorLog logs/iworx.domain.tld-error_log
CustomLog logs/iworx.domain.tld-access_log common
</VirtualHost>
##siteworx.domain.tld ##
<VirtualHost <primary_public_ip>:80>
ServerAdmin webmaster@domain.tld
DocumentRoot /var/www/html
ServerName siteworx.domain.tld
ErrorLog logs/siteworx.domain.tld-error_log
CustomLog logs/siteworx.domain.tld-access_log common
Redirect / https://siteworx.domain.tld/
</VirtualHost>
##nodeworx.domain.tld ##
<VirtualHost <primary_public_ip>:80>
ServerAdmin webmaster@domain.tld
DocumentRoot /var/www/html
ServerName nodeworx.domain.tld
ErrorLog logs/nodeworx.domain.tld-error_log
CustomLog logs/nodeworx.domain.tld-access_log common
Redirect / https://nodeworx.domain.tld/
</VirtualHost>
The below since the login process otherwise tried to go
to /siteworx/siteworx/siteworx.php and nodeworx respectively
We will have all our customers use the siteworx.domain.tld URL for the Iworx-CP, maybe I can redirect this in the /home/interworx/etc/httpd/iworx.conf file if it does not break anything when Iworx is updated ??? This so they can use theirsite.tld/siteworx if they want (and land on https://siteworx.domain.tld).
Any comments or suggestions on the above conf is highly appreciated. Maybe this could be done in a smoother way, or maybe I have an error somewhere that will cause functionality problems for Iworx-CP. If not now, maybe in the future?
I would also like to have /webmail and /mysql for the sites to switch to https://siteworx.domain.tld/webmail (or /mysql) but I havent found a solution to that yet.
It would be nice to have all Iworx-CP client functions to go to https://siteworx.domain.tld/<???> so that the ssl certificate will not complain about the common name…
rgds
-tsl-