How to add SSL withtout messing up your config for FREE

[Me.B]

Tip 1:

Yes you can add ssl support for your websites without blowing out apache config or vhosts thanks to cloudflare:

https://blog.cloudflare.com/introducing-universal-ssl/

So all you have to do is setup your domain with cloudflare ( enable their DNS server to manage your domain) and use their reverse proxy in fleximode ( HTTPS >>> HTTP) that will forward all traffic to SSL toward your http backend.

https://support.cloudflare.com/hc/en-us/...CloudFlare

All for free as you can use cloudflare SSL certificates. 

But won't protect you from NSA snooping as your cloudflare > your server traffic will not be protected.

Tip 2:

You can grab free SSL certificates supported by most browser with startssl:
https://www.startssl.com/

M B

[j.waibel]

Another Tip:

Install a free startCom SSL certificate and install this in your server:

Below is my setup for my webmail setup (This is inside a virtualhost override for a domain to allow to have the webmail running at: https://webmail.jwd.de/

for the vhost overide see: Using Custom Vhost Entries for Webmail, MySQL, Etc.

Code:

</VirtualHost>

# Configuration for WebMail - webmail.jwd.de

Listen 80.83.120.44:443
<VirtualHost *:80>
   ServerName webmail.jwd.de
   Redirect permanent / https://webmail.jwd.de
</Virtualhost>

<VirtualHost 80.83.120.44:443>
   ServerAdmin webmaster[at]jwd.de
   DocumentRoot "/etc/sentora/panel/etc/apps/webmail/"
   ServerName webmail.jwd.de
    php_admin_value open_basedir "/etc/sentora/panel/etc/apps/webmail/:/etc/sentora/configs/roundcube/:/var/sentora/temp/"
    php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"


   AddType application/x-httpd-php .php3 .php
   <Directory /etc/sentora/panel/etc/apps/webmail/>
       Require all granted
       AllowOverride All
       <IfModule mod_php5.c>
               php_admin_flag engine on
       </IfModule>
   </Directory>
   SSLEngine on
   SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
   SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;^M    SSLHonorCipherOrder on
   SSLCertificateFile /srv/hostdata/zadmin/ssl_certs/webmail_jwd_de/webmail.jwd.de.crt
   SSLCertificateKeyFile /srv/hostdata/zadmin/ssl_certs/webmail_jwd_de/webmail.jwd.de.pem
   SSLCertificateChainFile /srv/hostdata/zadmin/ssl_certs/startssl-class1-intermediate.crt

Please make sure you include "   SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2" in your ssl setup, because alot apache installations still enable the insecure SSLv3.

One more Tip:

Test if your SSL setup is correct by testing with https://www.ssllabs.com/ssltest/

J

[Me.B]

Your setup is insecure as it miss all about suhosin disabling a lot of functions & not applying openbase_dir here!

[j.waibel]

Your setup is insecure as it miss all about suhosin disabling a lot of functions & not applying openbase_dir here!

Your right. i had that turned off for testing. I added working values to the posted code above.

[TVH7]

You don't have to mess up anything in your apache configs..

Just put this in your global sentora vhost inside the config panel. Wait a moment or force refresh.

Redirect Permanent / https://cp.test.nl/
</VirtualHost>
<VirtualHost *:443>
ServerName cp.test.nl:443
DocumentRoot "/etc/sentora/panel/"
ServerAlias *.cp.test.nl
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/cp.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>

Sorry for reopening such an old topic. Didn't notice it.

[Me.B]

The above is a hack not a clean solution for me.

M B

[divij]

Tip 1:

Yes you can add ssl support for your websites without blowing out apache config or vhosts thanks to cloudflare:

https://blog.cloudflare.com/introducing-universal-ssl/

So all you have to do is setup your domain with cloudflare ( enable their DNS server to manage your domain) and use their reverse proxy in fleximode ( HTTPS >>> HTTP) that will forward all traffic to SSL toward your http backend.

https://support.cloudflare.com/hc/en-us/...CloudFlare

All for free as you can use cloudflare SSL certificates. 

But won't protect you from NSA snooping as your cloudflare > your server traffic will not be protected.

Tip 2:

You can grab free SSL certificates supported by most browser with startssl:
https://www.startssl.com/

M B

Hi, I was trying the Tip 1, but the 443 port on my domain is closed. How to open that port without having to install any SSL certificates?

[Me.B]

Cloudflare won't need port 443 as they will forward all SSL requests to port 80.

Check cloudflare website for more informations.

M B