Differences between revisions 1 and 12 (spanning 11 versions)
Revision 1 as of 2008-07-31 14:07:44
Size: 2408
Editor: dunxd
Comment:
Revision 12 as of 2016-12-01 23:12:52
Size: 3140
Editor: msapiro
Comment: Added HTTPS to name for searching
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#pragma page-filename DOC/versions/7372809 ## page was renamed from DOC/4.27 Securing Mailman's web GUI by using Secure HTTP-SSL
#pragma page-filename DOC/versions/4030702
Line 3: Line 4:
Line 7: Line 9:
1. Make the appropriate changes to your Apache installation (adding a module to provide SSL support, for example) and httpd.conf so that your server will only make the Mailman web interface URIs available via Secure HTTP. For more information about configuring Apache visit [[http://httpd.apache.org]]. 1. Make the appropriate changes to your Apache installation (adding a module to provide SSL support, for example) and httpd.conf so that your server will only make the Mailman web interface URIs available via Secure HTTP. For more information about configuring Apache visit [[http://httpd.apache.org|http://httpd.apache.org]].
Line 15: Line 17:
may do the trick although it may cause a loop when http://<server_name>/mailman/ is redirected to https://<server_name>/mailman/ which is redirected to https://<server_name>/mailman/ ... may do the trick although it may cause a loop when `http://<server_name>/mailman/` is redirected to `https://<server_name>/mailman/` which is redirected to `https://<server_name>/mailman/` ...
Line 17: Line 19:
In order to avoid this, you can define separate virtual hosts for http://<server_name>/ and https://<server_name>/ and only apply the redirect to the http://<server_name>/ host and only configure Mailman access for the https://<server_name>/ host. In order to avoid this, you can define separate virtual hosts for `http://<server_name>/` and `https://<server_name>/` and only apply the redirect to the `http://<server_name>/` host and only configure Mailman access for the `https://<server_name>/` host.
Line 19: Line 21:
Alternatively, you may be able to use RewriteCond and RewriteRule to rewrite http://<server_name>/mailman/ as https://<server_name>/mailman/ only when the scheme is http. Alternatively, you may be able to use `RewriteCond` and `RewriteRule` to rewrite `http://<server_name>/mailman/` as `https://<server_name>/mailman/` only when the scheme is http.
Line 21: Line 23:
2. Assuming MM 2.1.1, assign the value of the DEFAULT_URL_PATTERN Mailman configuration variable in mm_cfg.py to use the https scheme, e.g. There are various ways to do this in Apache. For example

{{{
RewriteEngine on
RewriteCond %{HTTPS} off [NC]
RewriteRule ^/mailman(/.*) https://%{HTTP_HOST}/mailman$1 [L,R=permanent]
}}}

{{{#!wiki caution
Don't omit the `[NC]` flag on the above `RewriteCond` unless you're certain you know what you're doing.
}}}

2. Assuming MM 2.1.x, assign the value of the DEFAULT_URL_PATTERN Mailman configuration variable in mm_cfg.py to use the https scheme, e.g.
Line 27: Line 41:
This will ensure that the web_page_url attribute of new lists use the https scheme This will ensure that the web_page_url attribute of '''new''' lists uses the https scheme.

{{{#!wiki caution
Don't overlook the next step to update existing lists.
}}}
Line 41: Line 59:
If you have lists in domains other than DEFAULT_URL_HOST you will need to do

{{{
 $prefix/bin/withlist -l -r fix_url listname -u list_web_domain
}}}

for each such list. See {{{$prefix/bin/withlist --help}}} and {{{$prefix/bin/fix_url.py}}}.
Line 49: Line 75:
''Last changed on Wed Jun 28 02:34:27 2006 by'' Mark Sapiro
<<Color2(Converted from the Mailman FAQ Wizard, col=darkgreen)>>This is one of many [[../Frequently Asked Questions|Frequently Asked Questions]].		 Converted from the Mailman FAQ Wizard

This is one of many [[../Frequently Asked Questions|Frequently Asked Questions]].

4.27. Securing Mailman's web GUI by using Secure HTTP/SSL

For extra security when using Mailman's web GUI you may want to make access to it use Secure HTTP with URLs using the https scheme.

To do this you will need to:

1. Make the appropriate changes to your Apache installation (adding a module to provide SSL support, for example) and httpd.conf so that your server will only make the Mailman web interface URIs available via Secure HTTP. For more information about configuring Apache visit http://httpd.apache.org.

Something like: 

 RedirectPermanent /mailman/ https://<server_name>/mailman/

may do the trick although it may cause a loop when http://<server_name>/mailman/ is redirected to https://<server_name>/mailman/ which is redirected to https://<server_name>/mailman/ ...

In order to avoid this, you can define separate virtual hosts for http://<server_name>/ and https://<server_name>/ and only apply the redirect to the http://<server_name>/ host and only configure Mailman access for the https://<server_name>/ host.

Alternatively, you may be able to use RewriteCond and RewriteRule to rewrite http://<server_name>/mailman/ as https://<server_name>/mailman/ only when the scheme is http.

There are various ways to do this in Apache. For example 

RewriteEngine on
RewriteCond %{HTTPS}        off [NC]
RewriteRule ^/mailman(/.*)  https://%{HTTP_HOST}/mailman$1   [L,R=permanent]

Don't omit the [NC] flag on the above RewriteCond unless you're certain you know what you're doing.

2. Assuming MM 2.1.x, assign the value of the DEFAULT_URL_PATTERN Mailman configuration variable in mm_cfg.py to use the https scheme, e.g. 

 DEFAULT_URL_PATTERN = 'https://%s/mailman/'

This will ensure that the web_page_url attribute of new lists uses the https scheme.

Don't overlook the next step to update existing lists.

3. Use $prefix/bin/fix_url.py to get the change to DEFAULT_URL_PATTERN propagated to the web_page_url attributes of existing lists. You may need to run this through withlist, ie 

 $prefix/bin/withlist -l -r fix_url listname

or to do all lists at once 

 $prefix/bin/withlist -l -a -r fix_url

If you have lists in domains other than DEFAULT_URL_HOST you will need to do 

 $prefix/bin/withlist -l -r fix_url listname -u list_web_domain

for each such list. See $prefix/bin/withlist --help and $prefix/bin/fix_url.py.

4. If you want to access public archives via SSL, assign the value of the PUBLIC_ARCHIVE_URL Mailman configuration variable in mm_cfg.py to use the https scheme, e.g. 

 PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'

and use one of the above techniques to enforce it.

Converted from the Mailman FAQ Wizard

This is one of many Frequently Asked Questions.

MailmanWiki: DOC/4.27 Securing Mailman's web GUI by using Secure HTTP-SSL (HTTPS) (last edited 2016-12-01 23:13:38 by msapiro)