September 7, 2010

How to force HTTPS in Horde (Plesk)

If your using Horde as your preferred webmail client on a Plesk virtual hosting server, its advisable to enable (and force) the use of HTTPS in order to secure webmail users against their login information and email communication being compromised.

To force HTTPS within Horde:

# nano -w /etc/psa-webmail/horde/horde/conf.php

Then change:

$conf['use_ssl'] = 2;

to:

$conf['use_ssl'] = 1;

Next edit the Horde virtual host file:

nano -w /etc/httpd/conf.d/zzz_horde_vhost.conf

And just below the “ServerAdmin [email protected]” line add:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Make sure to tab the lines in to match the delimiter of the previous servername/alias/admin lines.

Now restart Apache so it can pickup the changes:

# /etc/init.d/httpd restart

These changes will enable the following:

1. It will automatically re-direct connections from http://webmail.your-domain.com to httpS://webmail.your-domain.com before the user logins in, thus securing their login username and password.

2. It will disable non-SSL traffic to the Horde framework in the event the re-write rules are removed or otherwise edited.