[BlueOnyx:21862] Re: vsite roundcube not responding to ip address

Michael Stauber mstauber at blueonyx.it
Mon Mar 19 15:25:17 -05 2018 

Hi Larry,

> Since all the updates the last few days, several
> of my vsites (different boxes) are now no longer responding
> to roundcube via their IP address and I am seeing a 
> <quote>
> [Mon Mar 19 13:16:45.063252 2018] [ssl:error] [pid 1249] AH02235: Unable to 
> configure server certificate for stapling
> </quote>
> 
> in the apache (httpd) logs.  Not sure if these are related or not.

Yes, it's somewhat related. Access to Vsites via IP (if using HTTPS and
SNI) is a bit problematic. We had issues that Apache was arbitrarily
serving the wrong SSL certificates.

To counter that we introduced a _default Vsite for each IP. On
5207R/5208R this only covers the primary IP. On 5209R (where we also use
SSL certificate stapling) this covers all IPv4 and IPv6 IPs that happen
to be bound to the server.

These new default <VirtualHost> containers use the GUI's SSL
certificate, use /var/www/html as DocumentRoot and redirect to the GUI.
There is no Roundcube on that as it's only deployed to all
<VirtualHosts>'s that are related to actual Vsites. This then also means
that direct access to a BlueOnyx Vsite via IP (and not the fqnd or an
alias) is currently not possible.

However: This is not the final manifestation of the solution we're
aiming for.

Sometime within the next 8-14 days I will release another update that
allows you to offload anything HTTPS related to an Nginx proxy on your
BlueOnyx. Means: Apache will continue to host all Vsites via HTTP. HTTPS
access to these Vsites is done via Nginx, which acts as a proxy. All you
need to do is to set a switch under "Network Services" / "Web" to
activate this.

The benefits:

- Better/easier and less error prone SSL implementation.

- Support for HTTP/2 out of the box for all Vsites that have
  SSL enabled. The Apache on CentOS 7 cannot do HTTP/2 and it
  is unlikely that it'll get it during a future update.

- Reintroduction of all advanced SSL ciphers that RedHat chose
  to withhold from us for "patent reasons". Our Nginx is compiled
  against the latest OpenSSL-1.1.0g, so we will have them.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list