Results 1 to 8 of 8

Thread: https ???

  1. #1
    CatiaL is offline Active Member
    Join Date
    Dec 2006
    Posts
    38
    Rep Power
    8

    Default https ???

    Hi,
    I have 4.5.5_GA_838.RHEL4_20070518071230 RHEL4 NETWORK edition running and I can access the web admin interface at port 7071 with https and the user web interface with http at port 7070 and at port 80 (using the Zimbra with Apache using mod jk - ZimbraWiki).

    I would like to access the user web interface over https.
    I did
    su - zimbra
    zmtlsctl https
    tomcat restart

    but then if I try to connect to the server (https://mailserver.domain.example) I get an error message, and nothing is loaded.

    with
    zmprov -l gs mailserver.domain.example
    I saw that zimbraMailMode: https -> OK

    the one thing that I have found strange is that in /opt/zimbra/tomcat/conf/server.xml
    "user services connector, SSL" and "admin services connector; requires SSL"
    are both on port 7071, is this normal?

    I have tried to edit such file and change the ser services connector, SSL to 443 but as soon as I resstart tomcat the value is changed back to 7071.

    with zmprov -l gs mailserver.domain.example
    I see that:
    zimbraAdminPort: 7071
    zimbraMailPort: 7070
    zimbraMailSSLPort: 7071

    is this the reason for the "strange" setting in /opt/zimbra/tomcat/conf/server.xml?
    should I change zimbraMailSSLPort to 443 to make it work properly over https?
    how?

    any ideas? please help I am pretty much in a hurry to get this work.

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    20

    Default

    Try this (alternate to zmtlsctl)
    su zimbra
    zmprov ms myserver.domain.com zimbraMailPort (port#) zimbraMailSSLPort (SSL#)
    tomcat stop
    tomcat start

  3. #3
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    7

    Default

    If all you want is to redirect http so it uses https my solution is:

    HTTP to redirect to HTTPS

    I use 'mixed' for zmtlsctl.

  4. #4
    CatiaL is offline Active Member
    Join Date
    Dec 2006
    Posts
    38
    Rep Power
    8

    Default https work but how to get it to port 443 (server has Apache too)

    Hi,

    so I have managed to get zimbra work over https. As I have supposed I had a conflict of ports: both zimbraMailSSLPort and zimbraAdminPort were running on the same port.

    %%%%% HTTPS ACCESS OVER PORT 7443 %%%%%%%%%
    What I did:

    zmprov ms my_server.domane.example zimbraMailSSLPort 7443
    zmtlsctl https
    tomcat restart

    so now I have my zimbra user web under
    https://my_server.domane.example:7443

    I would like to have it running under the usual 443 https port. The problem is that on the zimbra server run also apache and jahia.

    %%%%% HTTP ACCESS OVER PORT 80 %%%%%%%%%

    To get the http Mode run on port 80 I have used mod_jk by following Zimbra with Apache using mod jk - ZimbraWiki

    the only difference in my setup is that instead of creating an extra /etc/httpd/conf.d/tomcat.conf file

    I have added the following settings into the /etc/httpd/conf/httpd.conf file:


    # Load mod_jk module
    # Update this path to match your modules location
    LoadModule jk_module modules/mod_jk.so
    # Declare the module for <IfModule directive> (remove this line on Apache 2.x)
    # AddModule mod_jk.c

    # Where to find workers.properties
    # Update this path to match your conf directory location (put workers.properties next to httpd.conf)
    JkWorkersFile /etc/httpd/conf/workers.properties

    # Where to put jk logs
    # Update this path to match your logs directory location (put mod_jk.log next to access_log)
    JkLogFile /etc/httpd/logs/mod_jk.log
    # Set the jk log level [debug/error/info]
    JkLogLevel info
    # Select the log format
    JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

    # JkOptions indicate to send SSL KEY SIZE,
    JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

    # JkRequestLogFormat set the request format
    JkRequestLogFormat "%w %V %T"


    <VirtualHost *>
    ServerAdmin netmaster@domain.example
    ServerName server.domain.example
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteLog logs/server_rewrite.log
    RewriteLogLevel 0
    RewriteRule ^/$ http://server.domain.example/zimbra
    </IfModule>
    # JkMount /*.* zimbraworker
    JkMount /zimbra zimbraworker
    JkMount /zimbra/ zimbraworker
    JkMount /zimbra/* zimbraworker
    JkMount /service zimbraworker
    JkMount /service/ zimbraworker
    JkMount /service/* zimbraworker
    JkMount /zimbraAdmin zimbraworker
    JkMount /zimbraAdmin/ zimbraworker
    JkMount /zimbraAdmin/* zimbraworker
    # JkMount /*.ico zimbraworker
    JkMount //zimbra zimbraworker
    ErrorLog logs/server.domain.example-error_log
    CustomLog logs/server.domain.example-access_log common
    </VirtualHost>


    %%%%% HTTPS ACCESS OVER PORT 443 %%%%%%%%%

    Now I want to access my mails with ssl on port 443.
    And here I have problems.

    First of all I switch the zimbraMailMode to https. At this point since zimbraMailSSLPort=7443

    I can access zimbra on port 7443.

    But how to access it on 443??????

    I have though that the steps done for port 80 are enough for 443 but it does not work!

    What should I do? The problem is that I am not sure weather on my apache ssl is enabled or not. I see that an httpd is listening on port 443 but I do not know where does it come from.

    Could you tell me step by step what should I do, inclusive how do I understand who is using port 443 and what should I do to let apache use ssl to connect to zimbra?

  5. #5
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    7

    Default

    You'll want someone from Zimbra to confirm this but it looks like you have set zimbraMailSSLPort 7443. I think this means 443 will still have HTTPS running but it won't have anything to do as you are using 7443 for mail.

    To me it seems that you are going to skip over 443 unless you configure the other Zimbra applets to use 443. And I don't think Zimbra will spend the time on this as I'd assume the things you are doing would be classified as an unsupported configuration. They may be able to give you some help but I wouldn't bet on it.

  6. #6
    CatiaL is offline Active Member
    Join Date
    Dec 2006
    Posts
    38
    Rep Power
    8

    Default https solved

    Hi,

    I have solved my problem since a while but I had no time to post the solution.

    As summary: I have Zimbra and Apache running on the same server.
    Apache "occupies" the ports 80 for http and 443 https (I have ssl "running")

    zimbraMailSSLPort 7443

    My notation refer to A RedHat Enterprise OS.

    %%%%% HTTPS ACCESS OVER PORT 443 %%%%%%%%%

    Introduction
    In Apache (RedHat version) the file

    Code:
    /etc/httpd/conf/httpd.conf
    rules the http (no ssl) web access while the file

    Code:
    /etc/httpd/conf.d/ssl.conf
    rules the https (with ssl) web access.

    It is very important if you want to have some Virtual Hosts running under http AND other running under https that the settings are as follows:

    • In httpd.conf the NameVirtualHost must be set as:

      NameVirtualHost *:80

      and all the Virtual Hosts must be defined as

      <VirtualHost *:80>
      ………..
      ………..
      </VirtualHost>


    • In ssl.conf the NameVirtualHost must be set as:

      NameVirtualHost *:443

      and all the Virtual Hosts must be defined as

      <VirtualHost *:443>
      ………..
      ………..
      </VirtualHost>


    Configuration with mod_jk

    • Add into /etc/httpd/conf.d/ssl.conf the following text (if you did not already load mod_kj into httpd uncomment the first line)

      Code:
      # JK_MODULE
      #the module is already loaded in conf/httpd.conf
      #LoadModule jk_module modules/mod_jk.so
      JkWorkersFile conf/workers.properties
      JkLogFile logs/mod_jk.log
      JkLogLevel info
      JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
      JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
      JkRequestLogFormat "%w %V %T"
      
      NameVirtualHost *:443
      
      <VirtualHost *:443>
      
          ServerAdmin netmaster@domain.example
          ServerName server.domain.example
      
          <IfModule mod_rewrite.c>
              RewriteEngine On
              RewriteLog logs/server_rewrite.log
              RewriteLogLevel 0
              RewriteRule ^/$ https://server.domain.example/zimbra
          </IfModule>
      
          JkMount /zimbra         zimbraworker
          JkMount /zimbra/        zimbraworker
          JkMount /zimbra/*       zimbraworker
          JkMount /service        zimbraworker
          JkMount /service/       zimbraworker
          JkMount /service/*      zimbraworker
          JkMount /zimbraAdmin    zimbraworker
          JkMount /zimbraAdmin/   zimbraworker
          JkMount /zimbraAdmin/*  zimbraworker
          JkMount //zimbra        zimbraworker
      
        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        SSLCertificateKeyFile /opt/zimbra/ssl/ssl/server/server.key
        SSLCertificateFile /opt/zimbra/ssl/ssl/server/server.crt
      
      </VirtualHost>
      NOTE: This uses the automatically generated ssl certificate from Zimbra. If you want another certificate you can generate a self signed one or buy one.

    • restart httpd
      Code:
      service httpd restart

    • switch zimbra to https
      Code:
      zmtlsctl https
      tomcat restart


    IMPORTANT NOTE: If you plan to use ZimbraMobile and you have such mixed configuration (Zimbra and Apache running on the same serevr) you can not use the mod_jk "trick" to let apace access zimbra under standard ports. You should use the proxy "trick" instead.

  7. #7
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    7

    Default

    Now that's a good summary. Thanks, I've learned a little bit about Apache configurations thanks to you.

  8. #8
    macada is offline Junior Member
    Join Date
    Aug 2008
    Posts
    5
    Rep Power
    6

    Default Maybe this helps

    Check out this web:

    MailZimbra - Wikiousli

    Cheers


    macada

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. https & Newbie Question
    By swu in forum Administrators
    Replies: 5
    Last Post: 04-17-2007, 07:07 AM
  2. HTTPS problem
    By EnglishDude in forum Installation
    Replies: 5
    Last Post: 11-25-2006, 08:40 AM
  3. Switching From Https to Http Protocol in JSP
    By Shyam in forum Administrators
    Replies: 1
    Last Post: 10-10-2006, 06:58 AM
  4. Changing browser access from HTTPS to Both HTTPS and HTTP
    By kelley.ch in forum Administrators
    Replies: 5
    Last Post: 09-18-2006, 11:50 PM
  5. ?redirect=0 and https bug?
    By ljm in forum Administrators
    Replies: 1
    Last Post: 08-10-2006, 08:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •