On 12/31/2012 10:01 PM, Reindl Harald wrote:

Am 01.01.2013 03:55, schrieb Arne Berglund:

On 2012-12-31 17:23, Robert Moskowitz wrote:

I can't claim any real skill in configuring apache, all I can do is
read readmes and copy and paste for examples and things I have
running...  So I SEEM to have made some real headway, but have not
gotten wireshark going to see if it is really behaving as it seems. I
would appreciate any input on a cleaner way to setup Roundcube as a
virtual host only over TLS.

<snipped>

Robert, here's the setup I have, partially inherited and partially refined over the years. My ReWrite is in a
directory declaration, and has never thrown any errors.

<Directory "/">
        RewriteEngine on
        ReWriteCond %{HTTP_HOST} =webmail.example.org [NC]
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule ^.*$ https://webmail.example.org%{REQUEST_URI} [L,R]
</Directory>
I am not quite getting this.  Or maybe I barely am...  This is saying if the URL of webmail.example.org is recieved, this rewrite occurs, and the virtualhost envelope is not needed.  What if the URL is webmail.example.org/something  ???

the next one missing that without "secure only" flag the browser
will send the cookies unencrypted because they are part of he
request headers and the redirect happens after them

Oh, I think I see.  Noel pointed out that the session.cookie_secure can go in the virtual_host envelope....

So I get:

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>

    ServerName webmail
    ServerAlias webmail.foo.com
    php_admin_flag session.cookie_secure "1"
    RewriteEngine On
        RewriteCond  %{SERVER_PORT} !^443$
        RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
        ExpiresDefault "access plus 10 years"
        AddOutputFilterByType DEFLATE text/html text/plain text/xml

</VirtualHost>

<VirtualHost *:443>

    ServerName webmail
    ServerAlias webmail.foo.com
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/foo.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/foo.com.key
    DocumentRoot /usr/share/roundcubemail
    <Directory /usr/share/roundcubemail/>
            Order Deny,Allow
            Allow from all
        php_admin_flag session.cookie_secure "1"
    </Directory>

</VirtualHost>