SSL Separation Between Sentora and Client Domains

[JWTech]

I'm having trouble getting client domains to stick to their own non-SSL domains. Apparently VHosts and myself don't seem get along all that well.

I've got the panel subdomain setup for SSL (working), and a _default_ entry for port 443 with a redirect to port 80 (only works when I remove the previous mentioned entry). Basically the two entries are fighting over port 443 and I'm not familiar enough with VHosts to know how to configure properly. Right now anything on HTTPS forwards to the panel's secure page (not ideal).

Any thoughts?

[TGates]

What is going on here? You DO NOT add your panel login subdomain to the DNS manager at all, this is done for you when you do the installation!

(It is the first entry in your httpd-vhosts.conf file)
If you want to SSL your panel login, you go to Module Admin > Apache Config > Global Sentora Entry and put the SSL info in there.
Example:

Code:

   SSLEngine on
   SSLCertificateFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.crt
   SSLCertificateKeyFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog c:/zpanel/logs/ssl/ssl_zpx_request.log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

(Yeah, my setup is odd right now as I am using a hybrid zpanel/sentora setup on Windows until I get my unix box online)
BTW, I am using a self-signed wildcard certificate for subdomains of my main domain.

[Me.B]

Please open another thread as the issue is not the same that will help others following the discussion & finding the solutions too.

JWTech current SSL was is a hack. It's not the best solution, I don't follow it and think we will change the docs over that.

My solution always create /etc/sentora/apache/ssl directory where you will paste all SSL vhosts FULLY configured there.

Then instead of playing with override in main apache config add
include /etc/sentora/apache/ssl/*

Don't forget if you add a FULL Vhost manually you need to copy suhosin & openbase_dir setup and enable SSL mainly on it.

M B

[JWTech]

Thanks for splitting the thread, Me.B.

And yeah, I've been running my SSL Vhost entries from the ssl.conf file (CentOS). My issue's been more of a Vhost configuration issue than a placement one, I'm just not familiar enough with it to setup the proper SSL separation between the panel SSL (commercial certificate) and the client SSL (which I just want routed to port 80 until I work out whether SNI is even possible).

[Jayster]

ahh.. There are 2 different types of SSL installation in Sentora.

Just pay attention in client domain here, not the Sentora panel.
If you have a client domain eg: HTTP://yourclient.domain and you want to forward it to HTTPS://yourclient.domain

USE the following:
Overriding Vhost via MODULE ADMIN>>APACHE CONFIG>>Select the Vhost to Override
eg: yourclient.domain
1) Port Override -> 443
2) Custom Entry:

Code:

 SSLEngine on
 SSLCertificateFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.crt
 SSLCertificateKeyFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.key
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 CustomLog c:/zpanel/logs/ssl/ssl_zpx_request.log \
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Now the result for that will be:

HTTP://yourclient.domain will always be forwarded to SSL 443 eg: HTTPS://yourclient.domain
so there is no way to view this via port 80 or standard HTTP

Now if you want to view your client domain in a separate socket port HTTP and HTTPS at the same time?

All you need to do is the following:

Create a SSL-VHOST and name it like for example: "httpd-ssl-vhost.conf"

Open your Sentora Config -> "httpd-vhost.conf" then copy and paste the vhost which is the "yourclient.domain" in your created "httpd-ssl-vhost.conf.
Example below:

Code:

# DOMAIN: yourclient.domain
<virtualhost *:80>
ServerName yourclient.domain
ServerAlias  www.yourclient.domain
ServerAdmin panel@yourclient.domain
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/yourclient_domain"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/yourclient_domain:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/yourclient.domain-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/yourclient.domain-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/yourclient.domain-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/yourclient_domain">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Order Allow,Deny
 Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)

</virtualhost>
# END DOMAIN: yourclient.domain
################################################################

After pasting the code, modify it like this: example code below:

Code:

# DOMAIN: yourclient.domain
<virtualhost *:443>
ServerName yourclient.domain
ServerAlias  www.yourclient.domain
ServerAdmin panel@yourclient.domain
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/yourclient_domain"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/yourclient_domain:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/yourclient.domain-ssl-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/yourclient.domain-ssl-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/yourclient.domain-ssl-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/yourclient_domain">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Order Allow,Deny
 Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)

#LET'S ADD YOUR SSL CERTIFICATE, KEY, PEM and BUNDLES HERE
    SSLEngine on
    SSLCertificateFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.crt
    SSLCertificateKeyFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

</virtualhost>
# END DOMAIN: yourclient.domain
################################################################

save it!
Open the Sentora Config --> HTTPD.CONF
add this at the after "Include /etc/sentora/configs/apache/httpd-vhosts.conf"

The line should be like this: "Include /etc/sentora/configs/apache/httpd-ssl-vhosts.conf"
Save it!

TAKE NOTE: In Sentora, Make SURE you have created a dummy subdomain which contains a dummy SSL in Module Admin>>Apache Config>>Override Vhost

So that the LISTEN PORT 443 will be generated by  Sentora by default if Override Vhost 443 is enabled.

Adding Listen 443 manually will kill your Apache service.

Now if you have done this all? Restart your Apache service

CentOS: service httpd restart

Open your browser and check HTTP://yourclient.domain and HTTPS://yourclient.domain

I hope this helps you! Good luck

[guineapig]

Code:

##################################################

# Apache VHOST configuration file

# Automatically generated by Sentora 10.0.2

# Generated on: 12:25 2nd Jun 2013 WIT

##################################################



NameVirtualHost *:443



# Configuration for Sentora control panel.



SSLEngine on

SSLProtocol SSLv3

SSLCertificateFile /etc/apache2/ssl/Sentora.crt

SSLCertificateKeyFile /etc/apache2/ssl/Sentora.key

ServerAdmin zadmin@localhost

DocumentRoot "/etc/Sentora/panel/"

ServerName id-network.org

ServerAlias Sentora.id-network.org



Redirect Permanent / https://Sentora.id-network.org/

I don't understand only SSLV3 ? and Also how do we use CA Certificate ? CA Bundle not required ?
http://docs.sentora.org/?node=21

[wakeupzee]

ahh.. There are 2 different types of SSL installation in Sentora.

Just pay attention in client domain here, not the Sentora panel.
If you have a client domain eg: HTTP://yourclient.domain and you want to forward it to HTTPS://yourclient.domain

USE the following:
Overriding Vhost via MODULE ADMIN>>APACHE CONFIG>>Select the Vhost to Override
eg: yourclient.domain
1) Port Override -> 443
2) Custom Entry:

Code:

 SSLEngine on
 SSLCertificateFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.crt
 SSLCertificateKeyFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.key
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 CustomLog c:/zpanel/logs/ssl/ssl_zpx_request.log \
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Now the result for that will be:

HTTP://yourclient.domain will always be forwarded to SSL 443 eg: HTTPS://yourclient.domain
so there is no way to view this via port 80 or standard HTTP

Now if you want to view your client domain in a separate socket port HTTP and HTTPS at the same time?

All you need to do is the following:

Create a SSL-VHOST and name it like for example: "httpd-ssl-vhost.conf"

Open your Sentora Config -> "httpd-vhost.conf" then copy and paste the vhost which is the "yourclient.domain" in your created "httpd-ssl-vhost.conf.
Example below:

Code:

# DOMAIN: yourclient.domain
<virtualhost *:80>
ServerName yourclient.domain
ServerAlias  www.yourclient.domain
ServerAdmin panel@yourclient.domain
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/yourclient_domain"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/yourclient_domain:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/yourclient.domain-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/yourclient.domain-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/yourclient.domain-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/yourclient_domain">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Order Allow,Deny
 Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)

</virtualhost>
# END DOMAIN: yourclient.domain
################################################################

After pasting the code, modify it like this: example code below:

Code:

# DOMAIN: yourclient.domain
<virtualhost *:443>
ServerName yourclient.domain
ServerAlias  www.yourclient.domain
ServerAdmin panel@yourclient.domain
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/yourclient_domain"
php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/yourclient_domain:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/zadmin/yourclient.domain-ssl-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/yourclient.domain-ssl-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/yourclient.domain-ssl-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/yourclient_domain">
 Options +FollowSymLinks -Indexes
 AllowOverride All
 Order Allow,Deny
 Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 403 /_errorpages/403.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)

#LET'S ADD YOUR SSL CERTIFICATE, KEY, PEM and BUNDLES HERE
SSLEngine on
SSLCertificateFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.crt
SSLCertificateKeyFile C:/zpanel/bin/apache/ssl_certs/__.domain.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

</virtualhost>
# END DOMAIN: yourclient.domain
################################################################

save it!
Open the Sentora Config --> HTTPD.CONF
add this at the after "Include /etc/sentora/configs/apache/httpd-vhosts.conf"

The line should be like this: "Include /etc/sentora/configs/apache/httpd-ssl-vhosts.conf"
Save it!

TAKE NOTE: In Sentora, Make SURE you have created a dummy subdomain which contains a dummy SSL in Module Admin>>Apache Config>>Override Vhost

So that the LISTEN PORT 443 will be generated by  Sentora by default if Override Vhost 443 is enabled.

Adding Listen 443 manually will kill your Apache service.

Now if you have done this all? Restart your Apache service

CentOS: service httpd restart

Open your browser and check HTTP://yourclient.domain and HTTPS://yourclient.domain

I hope this helps you! Good luck

Hi i am using ubantu 14.04 
i add port override to 443 for my domain from apache config...
i got following error attached screenshot.... please help... sentora version 1.0.0