MailmanWiki

4.27. Securing Mailman's web GUI by using Secure HTTP/SSL (HTTPS)

For extra security when using Mailman's web GUI you may want to make access to it use Secure HTTP with URLs using the https scheme.

To do this you will need to:

1. Make the appropriate changes to your Apache installation (adding a module to provide SSL support, for example) and httpd.conf so that your server will only make the Mailman web interface URIs available via Secure HTTP. For more information about configuring Apache visit http://httpd.apache.org.

Something like:

 RedirectPermanent /mailman/ https://<server_name>/mailman/

may do the trick although it may cause a loop when http://<server_name>/mailman/ is redirected to https://<server_name>/mailman/ which is redirected to https://<server_name>/mailman/ ...

In order to avoid this, you can define separate virtual hosts for http://<server_name>/ and https://<server_name>/ and only apply the redirect to the http://<server_name>/ host and only configure Mailman access for the https://<server_name>/ host.

Alternatively, you may be able to use RewriteCond and RewriteRule to rewrite http://<server_name>/mailman/ as https://<server_name>/mailman/ only when the scheme is http.

There are various ways to do this in Apache. For example

RewriteEngine on
RewriteCond %{HTTPS}        off [NC]
RewriteRule ^/mailman(/.*)  https://%{HTTP_HOST}/mailman$1   [L,R=permanent]

Don't omit the [NC] flag on the above RewriteCond unless you're certain you know what you're doing.

2. Assuming MM 2.1.x, assign the value of the DEFAULT_URL_PATTERN Mailman configuration variable in mm_cfg.py to use the https scheme, e.g.

 DEFAULT_URL_PATTERN = 'https://%s/mailman/'

This will ensure that the web_page_url attribute of new lists uses the https scheme.

Don't overlook the next step to update existing lists.

3. Use $prefix/bin/fix_url.py to get the change to DEFAULT_URL_PATTERN propagated to the web_page_url attributes of existing lists. You may need to run this through withlist, ie

 $prefix/bin/withlist -l -r fix_url listname

or to do all lists at once

 $prefix/bin/withlist -l -a -r fix_url

If you have lists in domains other than DEFAULT_URL_HOST you will need to do

 $prefix/bin/withlist -l -r fix_url listname -u list_web_domain

for each such list. See $prefix/bin/withlist --help and $prefix/bin/fix_url.py.

4. If you want to access public archives via SSL, assign the value of the PUBLIC_ARCHIVE_URL Mailman configuration variable in mm_cfg.py to use the https scheme, e.g.

 PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'

and use one of the above techniques to enforce it.

Converted from the Mailman FAQ Wizard

This is one of many Frequently Asked Questions.

MailmanWiki: DOC/4.27 Securing Mailman's web GUI by using Secure HTTP-SSL (HTTPS) (last edited 2016-12-01 23:13:38 by msapiro)