Re: HTTPS problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Since the dawn of times I've been using Squirrelmail.  Until I was
> forced to upgrade to Apache2, all went well.  Since, I've googled myself
> dizzy to get HTTPS working again, but no result.
>
> I'll first give some more information about my system:
>
> OS: Debian 5.0.1
> Squirrelmail: squirrelmail (2:1.4.15-4+lenny2)
> Apache: apache2 (2.2.9-10+lenny2)
> PHP: php5 (5.2.6.dfsg.1-1+lenny3)
> IMAP: cyrus-imapd-2.2 (2.2.13-14+b3)
> SMTP: postfix (2.5.5-1.1)
> Browser: Iceweazel 2.0.0.19
>
> All these out-of-the box installed with apt-get install.  Cyrus is from
> unstable but I don't think that is the problem here, just mentioning it
> because of the guidelines for this list.
>
> What happens:
>
> - Direct browser to http://mail.garrels.be -> all goes well.
> - Direct browser to https://mail.garrels.be ->
>        Unable to connect
> Iceweasel can't establish a connection to the server at mail.garrels.be.
>    *   The site could be temporarily unavailable or too busy. Try again
>        in a few moments.
>    *   If you are unable to load any pages, check your computer's
>        network connection.
>    *   If your computer or network is protected by a firewall or proxy,
>        make sure that Iceweasel is permitted to access the Web.
>
> Of course, I am able to access other secure sites, like my homebanking
> site.
>
> I've already contacted my local Linux user group for this, and they told
> me that my server listens on both port 80 and port 443, but that it
> speaks http on both, and not http on port 80 and https on port 443.

Then this is entirely unrelated to SquirrelMail.  You should create a
test document on your server with just "<html><body>Hello
World</body></html>" and work out your Apache configuration until you
can access it with https.  After that, SquirrelMail should work fine.

> Now, I tried to make things better by installing the secure_login plugin
> - this is the only extra plugin I installed apart from the standard
> plugins that come with my squirrelmail package, it is version 1.4-1.  Of
> course, since https does not work, nothing now works for squirrelmail.
>
> SSL and rewrite modules are enabled in Apache.
>
> I run lots of virtual hosts on this machine.  None of them have the need
> for HTTPS (I use SSH tunnels for secure access for adminning, but I
> can't expect my mailusers to do that).
>
> Given all this info, I started - using various sources - to configure
> apache for SSL.  I did the following:
>
> - Create certificate:
> openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem
> -keyout /etc/apache2/ssl/apache.pem
>
> I've tried various other ways to create a cert, but those asked me to
> enter a passphrase when restarting apache2, and since I never entered a
> passphrase to create the certs, I was at a loss and apache2 didn't
> restart and none of my sites where accessible.

You should always have a pass phrase associated with your key.  You
can create a copy of your private key that is not password protected
for use with the web server.  There are plenty of how-tos on the web
for doing this.

Configuring Apache is usually no more complicated that using the
default ssl.conf it should come with and adding your sties to it as
needed.

> - Edit /etc/apache2/sites-available/default:
> NameVirtualHost *:80
> NameVirtualHost *:443
> <VirtualHost *:80>
>  ->all the normal stuff
> <VirtualHost *:443>
>        ServerAdmin webmaster@localhost
>
>        DocumentRoot /var/www/
>        <Directory />
>                Options FollowSymLinks
>                AllowOverride None
>        </Directory>
>        <Directory /var/www/>
>                Options Indexes FollowSymLinks MultiViews
>                AllowOverride None
>                Order allow,deny
>                allow from all
>        </Directory>
>
>        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
>        <Directory "/usr/lib/cgi-bin">
>                AllowOverride None
>                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
>                Order allow,deny
>                Allow from all
>        </Directory>
>
>        ErrorLog /var/log/apache2/error.log
>
>        # Possible values include: debug, info, notice, warn, error,
>        # crit,
>        # alert, emerg.
>        LogLevel warn
>
>        CustomLog /var/log/apache2/access.log combined
>
>    Alias /doc/ "/usr/share/doc/"
>    <Directory "/usr/share/doc/">
>        Options Indexes MultiViews FollowSymLinks
>        AllowOverride None
>        Order deny,allow
>        Deny from all
>        Allow from 127.0.0.0/255.0.0.0 ::1/128
>    </Directory>
> SSLEngine on
> SSLCertificateFile /etc/apache2/ssl/apache.pem
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/apache2/ssl/apache.pem
> SetEnvIf User-Agent ".*MSIE.*" \
>         nokeepalive ssl-unclean-shutdown \
>         downgrade-1.0 force-response-1.0
>
> </VirtualHost>
>
> - Made a link in /etc/apache2/sites-enabled
>
> - Edited /etc/apache2/sites/available/mail.garrels.be
> <Directory /usr/share/squirrelmail>
>  Options Indexes FollowSymLinks
>  <IfModule mod_php4.c>
>    php_flag register_globals off
>  </IfModule>
>  <IfModule mod_php5.c>
>    php_flag register_globals off
>  </IfModule>
>  <IfModule mod_dir.c>
>    DirectoryIndex index.php
>  </IfModule>
>
>  # access to configtest is limited by default to prevent information
>  # leak
>  <Files configtest.php>
>    order deny,allow
>    deny from all
>    allow from 127.0.0.1
>  </Files>
> </Directory>
> <VirtualHost *:80>
>  DocumentRoot /usr/share/squirrelmail
>  ServerName mail.garrels.be
>    ErrorLog /var/log/apache2/mail.garrels.be-error.log
>    CustomLog /var/log/apache2/mail.garrels.be-access.log combined
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/apache.pem
> </VirtualHost>
>
> And various variations on that theme, like adding a block VirtualHost
> *:443> etc.
>
> - Restarted Apache2 at each change.
>
> If anybody sees what I am doing wrong, I'll be glad to hear it.  It is
> probably something stupid, so tell me and out of shame I will never
> forget again.  If you need more info, I'll be glad to provide it.
>
> Sorry for the long post, thanks for your attention so far.


-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com 
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users


[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux