Differences between revisions 5 and 6
Revision 5 as of 2011-02-20 07:36:38
Size: 2765
Editor: msapiro
Comment: Migrated to Confluence 4.0
Revision 6 as of 2012-05-25 17:36:39
Size: 2895
Editor: msapiro
Comment: Added note to not omit [NC] on RewriteCond
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#pragma page-filename DOC/versions/14352771 #pragma page-filename DOC/versions/4030702
Line 26: Line 26:
}}}

{{{#!wiki caution

Don't omit the `[NC]` flag on the above RewriteCond unless you're certain you know what you're doing.

4.27. Securing Mailman's web GUI by using Secure HTTP/SSL

For extra security when using Mailman's web GUI you may want to make access to it use Secure HTTP with URLs using the https scheme.

To do this you will need to:

1. Make the appropriate changes to your Apache installation (adding a module to provide SSL support, for example) and httpd.conf so that your server will only make the Mailman web interface URIs available via Secure HTTP. For more information about configuring Apache visit http://httpd.apache.org.

Something like:

 RedirectPermanent /mailman/ https://<server_name>/mailman/

may do the trick although it may cause a loop when http://<server_name>/mailman/ is redirected to https://<server_name>/mailman/ which is redirected to https://<server_name>/mailman/ ...

In order to avoid this, you can define separate virtual hosts for http://<server_name>/ and https://<server_name>/ and only apply the redirect to the http://<server_name>/ host and only configure Mailman access for the https://<server_name>/ host.

Alternatively, you may be able to use RewriteCond and RewriteRule to rewrite http://<server_name>/mailman/ as https://<server_name>/mailman/ only when the scheme is http.
There are various ways to do this in Apache. For example

RewriteEngine on
RewriteCond %{HTTPS}        off [NC]
RewriteRule ^/mailman(/.*)  https://%{HTTP_HOST}/mailman$1   [L,R=permanent]

Don't omit the [NC] flag on the above RewriteCond unless you're certain you know what you're doing.

2. Assuming MM 2.1.1, assign the value of the DEFAULT_URL_PATTERN Mailman configuration variable in mm_cfg.py to use the https scheme, e.g.

 DEFAULT_URL_PATTERN = 'https://%s/mailman/'

This will ensure that the web_page_url attribute of new lists use the https scheme

3. Use $prefix/bin/fix_url.py to get the change to DEFAULT_URL_PATTERN propagated to the web_page_url attributes of existing lists. You may need to run this through withlist, ie

 $prefix/bin/withlist -l -r fix_url listname

or to do all lists at once

 $prefix/bin/withlist -l -a -r fix_url

If you have lists in domains other than DEFAULT_URL_HOST you will need to do

 $prefix/bin/withlist -l -r fix_url listname -u list_web_domain

for each such list. See bin/withlist --help.

4. If you want to access public archives via SSL, assign the value of the PUBLIC_ARCHIVE_URL Mailman configuration variable in mm_cfg.py to use the https scheme, e.g.

 PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'

and use one of the above techniques to enforce it.

Converted from the Mailman FAQ Wizard

This is one of many Frequently Asked Questions.

MailmanWiki: DOC/4.27 Securing Mailman's web GUI by using Secure HTTP-SSL (HTTPS) (last edited 2016-12-01 23:13:38 by msapiro)