I thank you for your time and effort.  I have some notes to read and will work on this tomorrow.  this all shows how woefully rusty on apache config I allowed myself to become while doing other things.

On 12/27/2012 07:38 PM, Reindl Harald wrote:

Am 28.12.2012 01:27, schrieb Robert Moskowitz:
My little bit of testing gives the user a bad experience if they use http://fqdn/webmail.  The ajax error is so
cryptic.  I suppose with some digging I can find a way to get it to say, "use https:// like you were instructed!"
instead.  Until I do, I tend towrad a forced redirect to https.
force redirect

As for security issues for my site?  What, yet another DOS attack with TLS costs to any robo that hits on my
webmail url?
if you are CPU bound because TLS and a robot you have
other problems like too slow hardware, these days and
with intel AES-NI it costs zero

My expertise is in designing security protocols, not impact of force using them.  ;)

it does not if it is done right

<Directory "roundcube-dir">
  php_admin_flag session.cookie_secure "1"
</Directory>

this makes sure that there will NEVER a client send the
session cookie unencrypted, if you get a external security
audit and do not use tis setting for https sites you
will get warned by the auditor and if not he did not make
his job!
Perhaps I am implementing this wrong on my server.  My roundcubemail.conf has

<Directory /usr/share/roundcubemail/>
    Order Deny,Allow
    Allow from all
</Directory>

Am I suppose to put your <Directory "roundcube-dir"> ...
after this entry or the php_admin_flag in the one I have?
jesus christ put it in your <Directory /usr/share/roundcubemail/>
don't get me wrong but it should be pretty clear for anybody
that <Directory "roundcube-dir"> is a example for mod_php basics

What do you use for force_https and use_https?
some lines of code in any php-file like configuration-includes
which is always loaded, make sure it is included BEFORE any
output starts because http-headers can not be pushed after
output of http-body started

if(PHP_SAPI != 'cli' && empty($_SERVER['HTTPS']))
{
 header($_SERVER['SERVER_PROTOCOL'] . ' 301 Moved Permanently', true, 301);
 exit(header('Location: https://yourhostname/your-install-dir/', true, 301));
}



_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users