(04-17-2020, 11:45 PM)iraqiboy90 Wrote: Hi
Is this still a possibility?
I used the following code to lock it down with a wildcard certificate I already use for the main domain, which works fine, visually. I also changed it to 443 on the first part and added an http to https redirect with the last part. Is there anything behind that scene about security this might affect?
Code:</VirtualHost>
# Configuration for WebMail
<VirtualHost *:443>
ServerName webmail.somedomain.com
DocumentRoot "/etc/sentora/panel/etc/apps/webmail/"
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/etc/apps/webmail/">
Options +FollowSymLinks -Indexes
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/letsencrypt/live/somedomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/somedomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/somedomain.com/chain.pem
# Keeping bellow for future upgrades.
# Requires Apache >= 2.4
SSLCompression off
</VirtualHost>
<virtualhost *:80>
ServerName webmail.somedomain.com
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
Does adding this solves the issue?
Also, do I need this?Code:php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
Code:php_admin_value open_basedir /var/sentora/temp/:/etc/sentora/panel/etc/apps/webmail:/var/sentora/logs/roundcube
The code you added
Quote:php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
fixes the security issue above for custom vhosts.
Adding Open_basedir to webmail you will need to change the logs dir from /var/sentora/logs/roundcube to /etc/sentora/panel/etc/webmail/logs in roundcube config because open_basedir will lock you in the vhost directory. Other than that you should be good.
-Jettaman-
NEW: Sentora v.2.0.1 has been released!!!
Sentora's quick recovery depends on community support and donations. We need to stand as one and help Sentora into the future.
Donate HERE and do your part. We thank you for your support.
NEW: Sentora v.2.0.1 has been released!!!
Sentora's quick recovery depends on community support and donations. We need to stand as one and help Sentora into the future.
Donate HERE and do your part. We thank you for your support.
