# Forcing apache to host squirrel mail on https only

## vidigiani

I am sure this must've been asked somewhere before, but searching through the forums didn't seem to yeild anything related to this exact purpose. Right now I have squirrelmail working just fine on top of courier-imap and apache. I can get to squirrelmail through http://xxx and https://xxx.

What I would like to do is restrict squirrelmail to https://xxx only. I want to prevent users from accidentally going to http://xxx and exposing their password to the world.

----------

## eltech

hello ..

surprised you never ran into my post .. i was baffled by it all .. anyway .. i have i tto work and there i sno deviation to it ..

heres how

setup another virtual host in vhosts.conf for the mail server like so ..

```
<VirtualHost *>

#  General setup for the virtual host

DocumentRoot /home/httpd/squirrelmail

Redirect /  https://mail.mydomain.com

ServerName mail.mydomain.com   

ServerAlias mail.myotherdomain.com

ServerAdmin MailAdmin@mydomain.com 

ErrorLog /var/log/apache/mail-error_log            

TransferLog /var/log/apache/mail-access_log            

<Directory "/home/httpd/squirrelmail/">       

               AllowOverride None         

               Options none       

               Order allow,deny 

               Allow from all           

               DirectoryIndex index.php

               </Directory>

</VirtualHost>
```

so long as you have the ssl vhost setup properly which it seems like you do .. you should hav eno problem..

----------

## vidigiani

Thank you for the details. I found your other thread so I will read through it as well to try to get up to speed.

----------

## eltech

did it work for you?

----------

## vidigiani

I ended up doing it slightly differently., but I did use a lot of the information you provided.

I set up a NamedVirtualHost for 433 and set it to the mail.mydomain.com address and set all of the SSL stuff you had in your other thread there. Seems to work great. If I connect to mydomain.com I use the regular site. If I connect to mail.mydomain.com without SSL then I use the regular site. However, if I connect to mail.mydomain.com with SSL I get into my mail server. Good stuff. Thanks for the help!

----------

## eltech

 :Cool:  cool!

----------

## jtp755

vidigiani: How did you go about doing that? I know this is an old thread but o well. thats exactly what i want.

----------

## eltech

Post more info on what your trying to do .. i have learned alot about apache and just finished upgrading to apache2 and learned a lot along the way .. not to mention, its a fun application to tweak, modify and experiment with (ofcourse not my clients sites)  :Smile: 

----------

## jtp755

i am tryin to do the same thing...resrtict Squirrelmail to only open on https and redirect if not on https. first i have to get squirrelmail and courier-imap working....i have had alot of problems so i unmerged and remerged and starting over.

----------

## ixion

This is another way of doing this:

```

<Directory "/apache/htdocs/log">

    SSLRequireSSL

    Order deny,allow

    Allow from localhost

    AuthName "logging"

    AuthType Basic

    AuthUserFile /apache/users

    require valid-user

</Directory>

```

SSLRequireSSL is what you would be concerned with. Although I don't think it automatically redirects you. I just have a link on my main page that points to squirrelmail through https.

Hope this helps!  :Wink: 

----------

## jonnevers

On my website i run a lot of what would probably be called data mining apps, (all php baby) most contain semi-sensitive data and requires remote login to access, BUT i also run squirrelmail.

limitations in apache only allow one VHOST per IP address for any given host.

i like naming things subdomain.FQDN rather then FQDN/subdirectory

so i made my SSL enabled vhost 'https://secure.MY_FQDN' and then all the subdomains i have that i want to be secured run as sub directories of secure.MY_FQDN like https://secure.MY_FQDN/sub_directory

but the sites are accessed by why of non-ssl address like http://mail.MY_FQDN which its index.php is just a redirect to https://secure.MY_FQDN/mail/index.php !!

this way it gives me the flexiblity to have as many SSL enabled sites as i want but still be within the one true ssl site limitiation of apache....

and really using the header() function in a php redirect script is amazling simple and have yet to run into any snags.....

btw FQDN == fully qualified domain name (i.e gentoo.org)

(also hated the way squirrelmail looked, so I added functionality for my users to create their own unique, fully usable, CSS files that get stored in a mysql backend and are applied when they log in!)

-Jon

----------

## ixion

excellent solution, jonnevers!  :Very Happy: 

I found this redirect that I used to use for squirrelmail. Maybe it will help with this issue (thanks for reminding me about redirection, johnnevers;)):

```

*INDEX.PHP*

<HTML>

<HEAD>

<TITLE>LOCALHOST</TITLE>

<META HTTP-EQUIV="Refresh" CONTENT="10;URL=https://localhost/site/squirrelmail-1.4.1/index.php">

<SCRIPT LANGUAGE="JavaScript"><!--

function redirect () { setTimeout("go_now()",0); }

function go_now ()   { window.location.href = "https://localhost/site/squirrelmail/index.php"; }

//--></SCRIPT>

</HEAD>

<BODY onLoad="redirect()">

<H1>Please wait....</H1>

<P><A HREF="site/squirrelmail/index.php">LOGIN</A>

</BODY>

</HTML>

```

If anyone is using this, don't forget to add 'index.php' to your Directory Index directive in Apache:

```

<IfModule mod_dir.c>

    DirectoryIndex index.html index.php

</IfModule>

```

----------

## jonnevers

the redirect script can actually be as simple as

index.php...

```
<?php

header("Location: https://secure.MY_FQDN/sub_directory/index.php");

exit();

?>

```

----------

## ixion

goes to show how much I know.. :-/

Thanks for code, jon!  :Very Happy: 

----------

## UberLord

```
       

<VirtualHost *>

        RewriteEngine on

        RewriteCond %{SERVER_PORT} !^443$

        RewriteRule ^(horde) https://%{HTTP_HOST}/horde/ [L]

        RewriteRule ^/(horde) https://%{HTTP_HOST}/horde/ [L]

        RewriteRule ^(phpmyadmin) https://%{HTTP_HOST}/phpmyadmin/ [L]

        RewriteRule ^/(phpmyadmin) https://%{HTTP_HOST}/phpmyadmin/ [L]

        RewriteRule ^(acid) https://%{HTTP_HOST}/acid/ [L]

        RewriteRule ^/(acid) https://%{HTTP_HOST}/acid/ [L]

</VirtualHost>

```

Thats what I use. Simple and effective  :Very Happy: 

----------

## Phlaegel

There is a squirrelmail plugin that checks to make sure SSL is enabled before letting users login as well.

----------

## fourhead

 *Quote:*   

> so long as you have the ssl vhost setup properly which it seems like you do

 

This is my problem, how do I do that. Currently, the vhost for my squrrelmail setup looks like this:

```

<VirtualHost *:80>

        ServerName      mail.mydomain.de

        ServerAlias     mail.myotherdomain.de

        DocumentRoot    /data/www/squirrelmail

</VirtualHost>

```

This works fine, I can access mail with http://mail.mydomain.de. I installed the secure_login plugin for squirrelmail, but when I enable it, neither http:/ or https:/ work. I suppose I'm missing something with my Apache config to make SSL work at all. I have a SSL cert for the mail server, can I use this one for Apache too?

----------

