hi,

Am 11.01.2013 10:41 schrieb Götz Reinicke - IT Koordinator:
> For the LIVE system we like to have sogo running as a virtual apache
> host and secure as much as possible by using ssl.

hth, we are using debian squeeze.

with kind regards,
t.
-- 
users@sogo.nu
https://inverse.ca/sogo/lists
### non-ssl wird auf ssl umgeleitet
### sonst läuft auf port 80 nicht viel …
<virtualhost sogo.ourdomain.de:80>

        serveradmin     webmas...@ourdomain.de
        documentroot    /var/www

        <ifmodule mod_rewrite.c>
                rewriteengine   on
                rewritecond     %{SERVER_PORT} !^443$
                rewriterule     ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
                rewritelog      "/var/log/apache2/rewrite.log"
        </ifmodule>

        <directory />
                options         followsymlinks
                allowoverride   none
        </directory>

#       include         includes/generic-sogo-stuff

</virtualhost>


### das web-interface, auch: caldav/carddav, auch: updates
<VirtualHost sogo.ourdomain.de:443>

        ServerAdmin webmas...@ourdomain.de
        DocumentRoot /var/www

        include         includes/generic-ssl-stuff

        include         includes/generic-sogo-stuff

        ErrorLog        ${APACHE_LOG_DIR}/error.log
        CustomLog       ${APACHE_LOG_DIR}/sogo_access.log combined

        # sogo lebt unter /SOGo, andere unspezifizierte requests dorthin 
umschreiben
        <IfModule mod_rewrite.c>
                RewriteEngine   on
                RewriteCond     %{REQUEST_URI} ^/index.(htm|html)$ [OR]
                RewriteCond     %{REQUEST_URI} ^/$
                RewriteRule     (.*) /SOGo/ [R=301,L]
        </IfModule>

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        # unter plugins/ wird php per fastcgi gebraucht
        <directory /var/www/plugins/>
                <ifmodule mod_fcgid.c>  
                        AddHandler fcgid-script .php
                        FCGIWrapper /usr/lib/cgi-bin/php5 .php
                        Options +ExecCGI
                </ifmodule>
        </directory>

        # sogo-requests verarzten
        <Proxy http://127.0.0.1:20000/SOGo>
                RequestHeader set "x-webobjects-server-port" "443"
                RequestHeader set "x-webobjects-server-name" 
"sogo.ourdomain.de:443"
                RequestHeader set "x-webobjects-server-url" 
"https://sogo.ourdomain.de:443";
                RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
                RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e 
env=REMOTE_HOST
                AddDefaultCharset UTF-8
                Order allow,deny
                Allow from all
        </Proxy>

</VirtualHost>


### 8443 ist apfel-standard für verschlüsseltes carddav 
<virtualhost sogo.ourdomain.de:8443>

        ServerAdmin webmas...@ourdomain.de
        DocumentRoot /var/www

        include         includes/generic-ssl-stuff
        include         includes/generic-sogo-stuff

        ProxyPassInterpolateEnv         On
        ProxyPass                       /principals 
http://127.0.0.1:20000/SOGo/dav/ interpolate
        ProxyPass                       /SOGo/dav/ 
http://127.0.0.1:20000/SOGo/dav/ interpolate
        ProxyPass                       / http://127.0.0.1:20000/SOGo/dav/ 
interpolate

        <Proxy http://127.0.0.1:20000/SOGo>
                RequestHeader set "x-webobjects-server-port" "8443"
                RequestHeader set "x-webobjects-server-name" 
"sogo.ourdomain.de:8443"
                RequestHeader set "x-webobjects-server-url" 
"https://sogo.ourdomain.de:8443";
                RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
                RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e 
env=REMOTE_HOST
                AddDefaultCharset UTF-8
                Order allow,deny
                Allow from all
        </Proxy>

        ErrorLog        ${APACHE_LOG_DIR}/error.log
        CustomLog       ${APACHE_LOG_DIR}/sogo_apfeldav_access.log combined

</virtualhost>

### und 8843 ist apfelstandard für verschlüsseltes caldav
<virtualhost sogo.ourdomain.de:8843>

        ServerAdmin webmas...@ourdomain.de
        DocumentRoot /var/www

        include         includes/generic-ssl-stuff
        include         includes/generic-sogo-stuff

        ProxyPassInterpolateEnv         On
        ProxyPass                       /principals 
http://127.0.0.1:20000/SOGo/dav/ interpolate
        ProxyPass                       /SOGo/dav/ 
http://127.0.0.1:20000/SOGo/dav/ interpolate
        ProxyPass                       / http://127.0.0.1:20000/SOGo/dav/ 
interpolate

        <Proxy http://127.0.0.1:20000/SOGo>
                RequestHeader set "x-webobjects-server-port" "8843"
                RequestHeader set "x-webobjects-server-name" 
"sogo.ourdomain.de:8843"
                RequestHeader set "x-webobjects-server-url" 
"https://sogo.ourdomain.de:8843";
                RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
                RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e 
env=REMOTE_HOST
                AddDefaultCharset UTF-8
                Order allow,deny
                Allow from all
        </Proxy>

        ErrorLog        ${APACHE_LOG_DIR}/error.log
        CustomLog       ${APACHE_LOG_DIR}/sogo_apfeldav_access.log combined

</virtualhost>
# thoralf
# boilerplate für sogo-hosts

Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/  /usr/lib/GNUstep/SOGo/WebServerResources/
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) 
/usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2

# LoadModule mod_proxy

<Directory /usr/lib/GNUstep/SOGo/>
    AllowOverride None
    Order deny,allow
    Allow from all
    # Explicitly allow caching of static content to avoid browser specific 
behavior.
    # A resource's URL MUST change in order to have the client load the new 
version.
    <IfModule expires_module>
      ExpiresActive On
      ExpiresDefault "access plus 1 year"
    </IfModule>
</Directory>

<LocationMatch 
"^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
  SetHandler default-handler
</LocationMatch>

## Uncomment the following to enable proxy-side authentication, you will then
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section
## below.
#<Location /SOGo>
#  AuthType XXX
#  Require valid-user
#  SetEnv proxy-nokeepalive 1
#  Allow from all
#</Location>

ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On

# When using CAS, you should uncomment this and install cas-proxy-validate.py
# in /usr/lib/cgi-bin to reduce server overloading
#
# ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py
# <Proxy http://localhost/app/cas-proxy-validate.py>
#   Order deny,allow
#   Allow from your-cas-host-addr
# </Proxy>

ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0

### thoralf
### das dann doch eher in die jeweilige virtualhost-definition

#<Proxy http://127.0.0.1:20000/SOGo>
## adjust the following to your configuration
#  RequestHeader set "x-webobjects-server-port" "443"
#  RequestHeader set "x-webobjects-server-name" "sogo.ourdomain.de"
#  RequestHeader set "x-webobjects-server-url" "https://sogo.ourdomain.de";

## When using proxy-side autentication, you need to uncomment and
## adjust the following line:
#  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"

#  RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
#  RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST

#  RequestHeader set "x-webobjects-server-port" "80"
#  RequestHeader set "x-webobjects-server-name" "sogo.ourdomain.de"
#  RequestHeader set "x-webobjects-server-url" "http://sogo.ourdomain.de";

#  AddDefaultCharset UTF-8

#  Order allow,deny
#  Allow from all
#</Proxy>

## We use mod_rewrite to pass remote address to the SOGo proxy.
# The remote address will appear in SOGo's log files and in the X-Forward
# header of emails.
RewriteEngine On
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
# thoralf
# generisches ssl-zeug, für in virtualhosts

<IfModule mod_ssl.c>

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        SSLCertificateFile      /etc/apache2/ssl/sternchen.ourdomain.de.crt
        SSLCertificateKeyFile   /etc/apache2/ssl/sternchen.ourdomain.de.key
        SSLCACertificateFile    /etc/apache2/ssl/gd_bundle.crt
        SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</IfModule>

Reply via email to