How to force HTTPS in Horde (Plesk)
If your using Horde as your preferred webmail client on a Plesk virtual hosting server, its advisable to enable (and force) the use of HTTPS in order to secure webmail users against their login information and email communication being compromised.
To force HTTPS within Horde:
# nano -w /etc/psa-webmail/horde/horde/conf.php
Then change:
$conf['use_ssl'] = 2;
to:
$conf['use_ssl'] = 1;
Next edit the Horde virtual host file:
nano -w /etc/httpd/conf.d/zzz_horde_vhost.conf
And just below the “ServerAdmin [email protected]” line add:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Make sure to tab the lines in to match the delimiter of the previous servername/alias/admin lines.
Now restart Apache so it can pickup the changes:
# /etc/init.d/httpd restart
These changes will enable the following:
1. It will automatically re-direct connections from http://webmail.your-domain.com to httpS://webmail.your-domain.com before the user logins in, thus securing their login username and password.
2. It will disable non-SSL traffic to the Horde framework in the event the re-write rules are removed or otherwise edited.
On Ubuntu hosts the zzz_horde_vhost.conf file is located in
/etc/apache2/conf.d/zzz_horde_vhost.conf
I couldn’t get that to work, so I added a check to the /imp/login.php file that redirects the page to the ssl port. I know this doesn’t make the internal pages secure, but, at least the login isn’t unencrypted.