Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: crazybob on May 18, 2010, 02:35:41 AM
-
Would it possible to set up certs for virtual domains based on this http://onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html (http://onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html) article ?
TAI
Bob
-
Would it possible to set up certs for virtual domains based on this http://onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html (http://onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html) article ?
SME server already sets up virtual domains exactly as specified in that article - in the last code block, just before the paragraph "In other words, exactly the way you'd set up regular virtual hosts, except turning on SSL in each one".
-
but would it be possible to use a different ssl cert and port as in the first block of code? :-)
-
AFAIR there should be already some posts about your request and a NFR in bugzilla..
please search, thank you :-)
-
but would it be possible to use a different ssl cert and port as in the first block of code? :-)
Yes, you can do that with a custom template.
-
I have created templates in the past for httpd, but they always affect all ibays. I have been searching, but I have not been able to find a way to make a template fragment that will affect only a specific ibay/vhost. Looking for a push in the right direction :-)
-
I have created templates in the past for httpd, but they always affect all ibays. I have been searching, but I have not been able to find a way to make a template fragment that will affect only a specific ibay/vhost. Looking for a push in the right direction :-)
Create the proper directory structure in the templates-custom folder and instead of the VirtualHosts folder create the folder with, for instance, the name of your domain.
Copy the relevant fragments from the original VirtualHosts container to the folder for your domain and modify according to your wishes.
Add a property TemplatePath with the name of your domain to the domain in the domains database:
db domains setprop domain.tld TemplatePath directoryname
signal-event domain-modify domain.tld
IIRC that is how you can override one domain.
-
I will give it a try on a test server. Thanks :D
-
I created a folder called test in /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
In the test folder I placed a file called test1 with the following code
{
my $listen_default = "Listen 0.0.0.0:445";
my $mode = $SystemMode || "serveronly";
return $listen_default if ($mode eq "serveronly");
my $httpdAccess = ${'httpd-e-smith'}{access} || 'private';
return $listen_default unless ($httpdAccess eq "private");
# Only selectively bind interfaces if we are in private server/gateway mode
my @ipAddresses = ("127.0.0.1", $LocalIP);
# Remove any duplicate IP addresses
my %ipAddresses = map { $_ => 1 } @ipAddresses;
foreach my $ip (sort keys %ipAddresses)
{
$OUT .= "Listen $ip:445\n";
}
}
issued command
db domains setprop test.com /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf testfollowed by
signal-event domain-modify test.com
Nothing changes in httpd.conf
Edit to replace code in first block
-
Nothing changes in httpd.conf
What you have done does not match what cactus suggested you do.
Note, however, that if you wish to use the TemplatePath option, then you need to provide a full set of template fragments for domains.
Your code, in any case, does nothing to provide a different port for each virtual domain. All you seem to be trying to do, albiet imperfectly, is use port 445 instead of port 443. That won't achieve what you are trying to achieve.
-
Thank you for the reply Charlie. I was hoping to change the ssl port on only one v/domain. The article I referenced at the top of this thread lead me to believe I could use 2 ssl certs if I use different ports. If I copy all the templates, and make the appropriate changes for the port number, and add the ssl cert paths, should that work, or is there an easier way?
-
Looking at the contents of the files in the VirtualHost folder, I see nothing to set the ssl port to 445. I do see a series of files in the httpd.conf folder that do address the ssl port. Should I be using those to change the port number?
-
Disclaimer: This might work, I have not tested it.
First create the directory structure needed for the custom-template fragments:
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/
Copy the original template fragments that need to be customize to the same relative location in the custom-templates tree:
cd /etc/e-smith/templates-custom/etc/httpd.conf/httpd/conf/
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/80VirtualHosts .
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives VirtualHosts/
If no other custom template fragments are present for httpd.conf your custom-template tree should now look like this:
[root@smetest httpd.conf]# ls -R
.:
80VirtualHosts VirtualHosts
./VirtualHosts:
25SSLDirectives
[root@smetest httpd.conf]#
Now edit the copied fragments with your favorite editor. Let's start with the 80VirtualHosts fragment.
Change the following line:
foreach my $port (qw(80 443))to:
my $sslport = $domain->prop('SSLPort') || '443';
my @ports = 80;
push (@ports, $sslport);
foreach my $port (@ports)
And below this line:
port => $port,add the following line:
sslport => $sslport,Now save this file as you are done with it.
On with the second file (./VirtualHosts/25SSLDirective):
Change the following line:
return " # skipping SSL directives\n" unless $port eq "443";to
return " # skipping SSL directives\n" unless $port eq $sslport;Now save this file as you are done with it.
We have now created custom-template fragments that superseed the original template fragments when the configuration file is generated. The template fragment take a additional parameter from the domains database that specifies the SSL port to use for the domain, if none is provided the default port (443) will be used.
To modify the port number for a domain you can add/modify the SSLPort property in the domains database like this:
db domains setprop domain.tld SSLPort portnumberMake sure to replace the domain.tld with the domain name you defined in server-manager as well as to set the port number you desire the https domain to be listening on.
After you have defined the port number you need to regenerate the configuration file and restart the web server, this can be done with the following command:
signal-event domain-modify
To remove the custom template fragments and restore SME Server's default behavior you just need to remove the custom-template fragments like this:
rm /etc/e-smith/templates-custom/etc/httpd.conf/httpd/conf/80VirtualHosts
rm /etc/e-smith/templates-custom/etc/httpd.conf/httpd/conf/VirtualHosts/25SSLDirective
signal-event domain-modify
-
Thanks Cactus, but it didn't work. The httpd.conf did not change
I will also need to apply paths for the ssl cert and key.
-
Thanks Cactus, but it didn't work.
What did not work? Could you be more explicit? Where there errors present in any of the steps? Did your webserver not start anymore? Where you unable to access certain sites you host? I have no crystal ball.
I will also need to apply paths for the ssl cert and key.
That would be a only little harder as you would need to bring those parameters inside of the VirtualHosts containers and evaluate them based on the domain name as this is, by default, done for the whole server and not on a per VirtualHost based way.
You will most likely need to add a custom template fragment based on the /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificate* files in the VirtualHosts/ folder and build the logic to get the proper files based on the domain name.
-
I was mistaken, it did work. I was using SSLport in place of SSLPort
I will be looking into the SSLcert file to see how to modify it. Any pointers appreciated
Thanks so much for your help.
Bob
-
Should I be able to incorporate this into the modified 80VirtualHosts file?
-
Should I be able to incorporate this into the modified 80VirtualHosts file?
What? I am unsure to what you are referring.
-
Sorry, I was referring to the ssl certs for the virtual domain :oops:
My thought was as long I was already setting the ssl port, to set the crt and key also. I am attempting this, and am going to try to set either a string that gives path and name for the cert and key, or just a '#.' if nothing is entered in the db
I have a modified 25SSLdirectives that looks like this {
return " # skipping SSL directives\n" unless $port eq $sslport;
return "" unless $modSSL{'status'} eq 'enabled';
$OUT = <<SSL_END;
# SSL Directives
SSLEngine on
SSL_END
}
{
#------------------------------------------------------------
# get a list of our virtual hosts and make a hash table so we
# can look up content later
#------------------------------------------------------------
$OUT = '';
use esmith::DomainsDB;
my $db = esmith::DomainsDB->open_ro;
unless ($db)
{
warn "Couldn't open domains DB in VirtualHosts template fragment";
return;
}
my @domains = $db->get_all_by_prop('type' => 'domain');
#------------------------------------------------------------
# generate VirtualHosts - primary domain first
#------------------------------------------------------------
foreach my $domain (
(grep { ($_->prop('SystemPrimaryDomain') || 'no') eq 'yes' } @domains),
(grep { ($_->prop('SystemPrimaryDomain') || 'no') ne 'yes' } @domains),
)
{
my $templatePath = $domain->prop('TemplatePath') || 'VirtualHosts';
my $crt = $domain->prop('vcrt') || " ";
my $key = $domain->prop('vkey') || " ";
$OUT .= <<SSL_END;
SSLCertificateFile $crt
SSLCertificateKeyFile $key
SSL_END
}
}
At this point it is changing all v/domains, It also seems to place an extra 'SSLCertificateFile' in each domain. I think I can get it to work with just a little more tinkering, but I am getting tired.
-
I was not having much luck, so I tried moving the virtual domain to a copy of SME7.5 running in VM ware. I gave that server the fqdn of the virtual domain i am working with. I installed a cert, and used proxypass to point requests to the new domain. Still no joy. https requests still see my main server cert. Should there be an easy way around this?
-
Should there be an easy way around this?
No. You need to understand that SSL is negotiated before the hostname of the query is interpreted - therefore, before proxy pass and before virtual domain handling.
The only way that you can have separate certificates for different virtual domains is to use a different IP address or a different port for each virtual domain.
-
crazybob
IIUC what you are after, then an approach you can take is to incorporate all the domains into one certificate, as is done in this CACert Howto
http://wiki.contribs.org/Custom_CA_Certificate
Similar steps should apply to whichever "brand" of certificate you buy.
-
Thanks Charlie, That will stop the tearing of the hair. :-)
And thanks to Mary, I willl check out CA_cert. :smile:
-
I bought a cert from startssl.com. Seems to be doing the job. Thanks all for the help. :-P