[BlueOnyx:18639] Re: 5209R SSL redirection

Lew Berry LCBerry at lcbconsulting.net
Tue Nov 10 16:40:21 -05 2015 

Just a couple of thoughts:
If Customer types https://www.hisdomain.tld/webmail into browser for secure webmail doesn't the site have to have an SSL Cert. (and have it enabled)  for https://www.hisdomain.tld/anything to work in the first place? The cert would be issued to host.hisdomain.tld and any trailing directory is irrelevant.
If redirecting to https://www.anothercustomer.tld/webmail, does that mean www.anothercustomer.tld is using the same IP address and BX is showing the first SSL enabled site it finds? Does BX still only allow 1 SSL per IP, or has that changed?
If customer wants SSL for webmail only I would think a different host https://webmail.hisdomain.tld or subdomain would be the way to go with a redirect in hisdomain.tld/webmail pointing to the secure server.


Lew Berry, MCSE, MCT, CSSA
LCB Consulting Inc.


If anyone has some insight on this, it would be helpful.

As it turns out, the way that this is working combined with the change in Roundcube to be as a webapp rather than entire server has turned things into a royal cluster-unpleasantry.

Case in point:   Customer wants only to use https for webmail (reasonable).

Customer does not have SSL enabled on site.

Customer types https://www.hisdomain.tld/webmail into browser, and that redirects to https://www.anothercustomer.tld/webmail

Customer logs in with his account information.

Webmail is blank, missing his address book & ends his email address in the wrong domain since it's pulling out of the webmail installation in the other customer's site.

This essentially makes webmail useless if they're looking to invoke any sense of security.



On 11/9/2015 3:13 PM, Chris Gebhardt - VIRTBIZ Internet wrote:
> Hi All,
>
> I think I see a potential bug here, but I'm not 100% certain.
> Therefore I thought I would bring it up.
>
> What I'm seeing:
> Customer has a vsite with no SSL.   Customer tries SSL connection to the
> vsite and Apache then pulls a certificate from a DIFFERENT vsite that
> DOES have SSL (and a valid cert).  Obviously this causes a certificate
> mismatch alert in the browser.   If the user accepts the certificate,
> then the user is redirected to the site WITH the SSL.
>
> My recollection from previous BlueOnyx versions is that if no SSL is
> enabled for the vsite, the connection simply times out as there's
> nothing listening on that port.   I think that would be preferable...
>
> I'll be honest - I didn't notice anything until a customer brought it to
> our attention today wondering why we're sending visitors to his site to
> another site he has no affiliation with.   <scratches head>  Good question!
>
> Have I missed something?
>

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list