SysCP with SSL

[samual]

Hello there,

first I want to thank for that great work that is done by the team (who is this?) building SysCP!!!! Thanks a lot!


there are tutorials how to setup squirrelmail with SSL. But there is one question, why should I secure squirrelmail with SSL when SysCP itself don't use SSL in default?

Debian uses an own apache called apache-ssl why isn't SysCP copied into the document root of the apache-ssl package in /var/www-ssl/? Now the normale User will use a SysCP that isn't secure!
Perhaps there is something I don't understand but for me, it seems to be a better idea to use SysCP with SSL.

When I'm think of it, my plan is:
Installing apache-ssl
Changing the document root from the standard apache to something different than /var/www and changing the document root for apache-ssl from /var/www-ssl to /var/www

Then I can create a subdomain for a normal domain to connect to SysCP (https://SysCP.example.com)

What do you think?

[microft]

Hi samual

It makes us happy to get positive posts about syscp here

You described one way to secure the syscp-installation. I used the default apache (not the special apache-ssl) to tunnel SysCP over ssl. This is another way to secure SysCP. If you're going to use apache-ssl, you could write a small tutorial and put it into the documenation section of SysCP. This would be a good extension of our documentation

Yes, you're right, a normal user would perhaps use SysCP over an unencrypted connection. But we think that an admin of a server has the ability to secure the SysCP-installation over an ssl tunnel. This is basic knowledge and should be known by every admin of a linux webserver. The other part is that every admin has his own ideas of an installation of SysCP.

thanks and cu later

Microft

[samual]

What you say is correct, every admin with a basic knowledge should be aware of the security hole and off course should be able to secure syscp!
But for such an admin, it would be no problem to handle the same for apache-ssl and /var/www-ssl. But for novice user (and you know they are in the net) it not so easy to get an unsecure syscp installation.

I think it is better to deliver a secure environment, thats what we all blame microsoft for and here we are doing the same. Easy to install but unsecure if you have not the knowledge.

I think this is a good and neccessary discussion, altough when its only for thinking about things and concepts.

[paddy]

but, for everyone its easy to just install apache-ssl, which's docroot is, afaik default also at /var/www and just add a .htaccess to the /var/www directory that looks like this:

Code:

RewriteEngine On
RewriteCond %{SERVER_PORT}     !^443$
RewriteRule (.*)  https://tld%{REQUEST_URI}

i think everybody, even with a basic knowledge should be able to do so. and if not, maybe someone like that, shant have an root server?

[samual]

I think this is correct and I was thinking of my changes of the docroot for apache-ssl to /var/www-ssl/.

But I still think it would not be such a bad idea to install only apache-ssl insead of apache.

[duergner]

I do not really think that this is a good idea as it would cause a lot of trouble. Most people doing webhosting use the normal apache package and configure the modules they need. Changing the dependency to apache-ssl would destroy a lot of these installations and make it unable for these guys to use the .deb package.

And for apache2 the -ssl package is not provided anymore AFAIR.

[benschi]

@duergner
right, that is cuz' the mod_ssl is included in the Debian Package of Apache2.