Mailman and apache 443 virtualhost


#1

Hi Friends,
I’m trying to configure Mailman Apache2 web interface and Let’sEncrypt on Debian 9.

I did not find much documentation on the net on this point, so I would ask you if my Apache2 --> sites-available --> mailman.conf should be fine for Let’sEncrypt, eventually I will continue with further investigation…

# We can find mailman here:
ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/
# And the public archives:
Alias /pipermail/ /var/lib/mailman/archives/public/
# Logos:
Alias /images/mailman/ /usr/share/images/mailman/

<Directory /usr/lib/cgi-bin/mailman/>
    AllowOverride None
    Options ExecCGI
    AddHandler cgi-script .cgi
    Require all granted
</Directory>
<Directory /var/lib/mailman/archives/public/>
    Options FollowSymlinks
    AllowOverride None
    Require all granted
</Directory>
<Directory /usr/share/images/mailman/>
    AllowOverride None
    Require all granted
</Directory>

<VirtualHost *:80>
        ServerName lists.example.org
        ServerAlias lists.example.org

        ServerAdmin example@example.org

    Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
    <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/.well-known.*
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]

</VirtualHost>


<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin example@example.org
                ServerName lists.example.org
                ServerAlias lists.example.org
                DocumentRoot /var/www/lists

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile /etc/letsencrypt/live/server.example.org/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/server.example.org/privkey.pem

                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /var/lib/mailman/archives/>
                        Options FollowSymLinks
                        AllowOverride None
                        SSLOptions +StdEnvVars
                </Directory>

                Alias /pipermail/ /var/lib/mailman/archives/public/
                Alias /images/mailman/ /usr/share/images/mailman/
                ScriptAlias /admin /usr/lib/cgi-bin/mailman/admin
                ScriptAlias /admindb /usr/lib/cgi-bin/mailman/admindb
                ScriptAlias /confirm /usr/lib/cgi-bin/mailman/confirm
                ScriptAlias /create /usr/lib/cgi-bin/mailman/create
                ScriptAlias /edithtml /usr/lib/cgi-bin/mailman/edithtml
                ScriptAlias /listinfo /usr/lib/cgi-bin/mailman/listinfo
                ScriptAlias /options /usr/lib/cgi-bin/mailman/options
                ScriptAlias /private /usr/lib/cgi-bin/mailman/private
                ScriptAlias /rmlist /usr/lib/cgi-bin/mailman/rmlist
                ScriptAlias /roster /usr/lib/cgi-bin/mailman/roster
                ScriptAlias /subscribe /usr/lib/cgi-bin/mailman/subscribe
                ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
#               ScriptAlias / /usr/lib/cgi-bin/mailman/listinfo

                #   "force-response-1.0" for this.
                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


        </VirtualHost>

</IfModule>

Many thanks!

Davide


#2

It mostly looks Ok.
Here are some things I would change:
Alias /.well-known/acme-challenge/ /var/www/letsencrypt/ #shorter
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" #remove this line
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] #modify


#3

Well, very thanks for your time to me!!
I will do as you suggest :wink:

I had inserted this line because I had read on the net that could be increase Certbot security.
I must be wrong :slight_smile:

Thanks again!


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.