353

Using Apache 2 as a proxy server for WorldClient and WebAdmin

The instructions below will allow you to run Apache 2 as proxy server for WorldClient and WebAdmin both with SSL and without.

Prerequisites

We assume that you already have a running version of Apache 2. The configuration has been tested with Apache 2.0.58, but should work on any Apache 2 installation.


The web server does not have to be dedicated to this task; the proxy configuration can be added to any existing Apache 2 configuration without affecting the web server’s other tasks.


For our purposes, Apache 2 is not required to be running on the same machine as MDaemon. The configuration steps described herein also apply to both Apache 2 for Windows and UNIX, so we will make no difference in this document.


The web server must have access to your real WorldClient and WebAdmin IP, but the clients only need to be able to reach the IP your web server is running on. This can be used as a security measure.


To keep this brief, we also assume that you have enough knowledge of your systems to make any changes to it to meet these prerequisites.

This configuration

This document shows how to use Apache 2’s proxy feature with WorldClient and WebAdmin using SSL and without SSL. It is based on a default configuration of MDaemon and Apache 2, so the steps you will have to follow may slightly vary.


WorldClient will be available at its standard port 3000, WebAdmin at port 1000 at the IP 192.0.2.0. If there is an DNS entry for this IP named mail.example.com, you could access your servers under:


No SSL:


WorldClient: http://mail.example.com:3000/

WebAdmin: http://mail.example.com:1000/


With SSL:


WorldClient: https://mail.example.com:3000/

WebAdmin: https://mail.example.com:1000/

The advantages of this approach are that you can use a valid SSL certificate with WorldClient and WebAdmin. Both sites can share the certificate with other sites you may already have; they only need to use different ports. As opposed to running worldclient.dll in CGI mode (as described in KBA-01525), it is much easier to set up and it poses less security threads.


Alas, you will lose the 'IP persistence' feature or WorldClient and WebAdmin.

Procedure

Setting up WorldClient

By default, WorldClient monitors all IPs that MDaemon uses for all primary and secondary domains of the machine it is running on. The default port is 3000. If Apache 2 is on the same machine, it cannot use the same port and IP. You must either designate a different port for Apache 2, or run WorldClient on a different IP than Apache 2.


Open WorldClient setup in MDaemon and enter 192.0.2.0 for 'Bind WorldClient’s web server to these IPs only', and leave the port at 3000. You may also deselect 'Require IP persistence throughout WorldClient session', as this feature will no longer work, because WorldClient will only 'see' the IP of Apache 2.


Do not enable SSL for WorldClient.

Setting up WebAdmin

By default, WebAdmin monitors all IPs that MDaemon uses for all primary and secondary domains of the machine it is running on. The default port is 1000. If Apache 2 is on the same machine, it cannot use the same port and IP. You must either designate a different port for Apache 2, or run WebAdmin on a different IP than Apache 2.


Open WebAdmin setup in MDaemon and enter 192.0.2.0 for 'Bind WebAdmin’s web server to these IPs only', and leave the port at 1000. You may also deselect 'Require IP persistence throughout WorldClient session', as this feature will no longer work, because WebAdmin will only 'see' the IP of Apache 2.


To have WorldClient users be forwarded to the right address when they click on 'Advanced Settings', change 'WebAdmin URL' to http://mail.example.com:1000/ (no SSL) or https://mail.example.com:1000/ (when using SSL). Otherwise, users will be taken to the default URL, directly to WebAdmin on the MDaemon machine, which may not be reachable from their location.


Do not enable SSL for WebAdmin.

Setting up Apache 2 without SSL

Some of the following settings usually already exist in Apache 2’s httpd.conf, so please search for them and modify them as necessary instead of simply adding theses lines at the end.


Open httpd.conf and change the following:


First, we need to make Apache 2 listen on the correct IPs and ports:


Listen 192.0.2.0:1000
Listen 192.0.2.0:3000


Then turn on the proxy modules by commenting these two lines in:


LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so


Note: Absolute IPs are usually no good idea, you can also use DNS names like mail.example.com in place of the IPs in the following steps.


Next is to define two virtual hosts:


NameVirtualHost 192.0.2.0:1000
NameVirtualHost 192.0.2.0:3000


Now we can actually add the virtual hosts. Do not forget to modify the file names and paths of your certificate files.


# WorldClient
<VirtualHost 192.0.2.0:3000>
ServerName mail.example.com
ProxyPass /
http://192.0.2.1:3000/
ProxyPassReverse / http://192.0.2.1:3000/
</VirtualHost>
# WebAdmin
<VirtualHost 192.0.2.0:1000>
ServerName mail.example.com
ProxyPass /
http://192.0.2.1:1000/
ProxyPassReverse / http://192.0.2.1:1000/
</VirtualHost>


Setting up Apache 2 with SSL

Some of the following settings usually already exist in Apache 2’s httpd.conf, so please search for them and modify them as necessary instead of simply adding theses lines at the end.


Open httpd.conf and change the following:


First, we need to make Apache 2 listen on the correct IPs and ports:


Listen 192.0.2.0:3000
Listen 192.0.2.0:1000


Then turn on the proxy modules by commenting these two lines in:


LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so


To enable Apache 2’s SSL engine, comment the following in:


LoadModule ssl_module modules/mod_ssl.so

Note: Absolute IPs are usually not a good idea, you can also use DNS names like mail.example.com in place of the IPs in the following steps.


Next is to define two virtual hosts:


NameVirtualHost 192.0.2.0:3000
NameVirtualHost 192.0.2.0:1000


Now we can actually add the virtual hosts. Do not forget to modify the file names and paths of your certificate files.


# WorldClient
<VirtualHost 192.0.2.0:3000>
ServerName mail.example.com
SSLEngine on
SSLCertificateFile 'c:\Apache2\ssl.crt\mail.example.com.crt'
SSLCertificateKeyFile 'c:\Apache2\ssl.key\mail.example.com.key'
ProxyPass /
http://192.0.2.1:3000/
ProxyPassReverse / http://192.0.2.1:3000/
</VirtualHost>
# WebAdmin
<VirtualHost 192.0.2.0:1000>
ServerName mail.example.com
SSLEngine on
SSLCertificateFile 'c:\Apache2\ssl.crt\mail.example.com.crt'
SSLCertificateKeyFile 'c:\Apache2\ssl.key\mail.example.com.key'
ProxyPass /
http://192.0.2.1:1000/
ProxyPassReverse / http://192.0.2.1:1000/
</VirtualHost>


Extra option: Forwarding connections from the default http port to SSL: This will immediately pass any request for http://mail.example.com/ along to https://mail.example.com/:


Listen 192.0.2.0:80
NameVirtualHost 192.0.2.0:80
# Redirecting non-SSL
<VirtualHost 192.0.2.0:80>
ServerName mail.example.com
Redirect /
https://mail.example.com/
</VirtualHost>

Tweaks

To run WorldClient on the default http (and https) ports, you must simply change the port 1000 to 80 (443 for SSL).

No SSL:

Listen 192.0.2.0:80
NameVirtualHost 192.0.2.0:80
<VirtualHost 192.0.2.0:80>
ServerName mail.example.com
ProxyPass /
http://192.0.2.1:3000/
ProxyPassReverse / http://192.0.2.1:3000/
</VirtualHost>

SSL:

Listen 192.0.2.0:80
Listen 192.0.2.0:443
NameVirtualHost 192.0.2.0:80
NameVirtualHost 192.0.2.0:443
# Redirecting non-SSL
<VirtualHost 192.0.2.0:80>
ServerName mail.example.com
Redirect /
https://mail.example.com/
</VirtualHost>
<VirtualHost 192.0.2.0:443>
ServerName mail.example.com
SSLEngine on
SSLCertificateFile 'c:\Apache2\ssl.crt\mail.example.com.crt'
SSLCertificateKeyFile 'c:\Apache2\ssl.key\mail.example.com.key'
ProxyPass /
http://192.0.2.1:3000/
ProxyPassReverse / http://192.0.2.1:3000/
</VirtualHost>

To have WorldClient and WebAdmin support both secure and unsecured connections, simply set up the non-SSL virtual hosts as well. Do not forget, they have to use different ports (you cannot run two sites with the same server name at the same IP and port).

Credits

A part of this setup has been described on a Dutch site at http://gathering.tweakers.net/forum/list_messages/1131837.