You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by sc...@musiciansfriend.com on 2000/08/03 20:48:21 UTC

how to check for ssl.

I've got a section of our site where I want to force the user to 
connect via ssl.
Inside of mod_perl, is there a parameter I can grab to see whether 
the connection is ssl or not?  Or a way to get the port number?

I went through the archives last night and couldn't find anything 
near this.  Am I missing something way to obvious here? I checked 
the headers_in and nothing there would even hint that its ssl.


Scott

Re: how to check for ssl.

Posted by Jean-Denis Girard <jd...@esoft.pf>.

$r->server->port() returns 0
$r->parsed_uri->port() and $r->parsed_uri->fragment() return nothing !!!

___cliff rayman___ a écrit :

> try these and see what they return:
>
> $r->server->port();
> $r->parsed_uri->port();
>
> --
> ___cliff rayman___cliff@genwax.com___http://www.genwax.com/
> Jean-Denis Girard wrote:
>
> > For some reason (probably my error),  $r->get_server_port() always returns 80
> >
> > although my mod_perl backend only listen to 8080 and 8443 (I use Listen
> > directives).
> > I'm using (sockaddr_in($r->connection->local_addr))[0] to get the port
> > instead.
> > Though it works, I must load one more module (Socket), which I would like to
> > avoid if
> > possible...
> >
> > Any idea about my mistake ?
> >
> > My conf: apache-1.3.12 + mod_ssl-2.3.4  <=> apache-1.3.12 + mod_perl-1.24 on
> > linux-2.2.14
> >
> > Jean-Denis Girard
> > http://www.esoft.pf
> >
> > ___cliff rayman___ a écrit :
> >
> > > $port=$r->get_server_port();
> > >
> > > scotta@musiciansfriend.com wrote:
> > >
> > > > Ok, so what is the PORT variable and how do i access it?
> > > >
> > > > Scott
> > > > On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> > > > > Not really, you can spoof both:
> > > > > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> > > > > d_Connec.html
> > > > >
> > >
> > > --
> > > ___cliff rayman___cliff@genwax.com___http://www.genwax.com/

Re: how to check for ssl.

Posted by ___cliff rayman___ <cl...@genwax.com>.

try these and see what they return:

$r->server->port();
$r->parsed_uri->port();

--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/
Jean-Denis Girard wrote:

> For some reason (probably my error),  $r->get_server_port() always returns 80
>
> although my mod_perl backend only listen to 8080 and 8443 (I use Listen
> directives).
> I'm using (sockaddr_in($r->connection->local_addr))[0] to get the port
> instead.
> Though it works, I must load one more module (Socket), which I would like to
> avoid if
> possible...
>
> Any idea about my mistake ?
>
> My conf: apache-1.3.12 + mod_ssl-2.3.4  <=> apache-1.3.12 + mod_perl-1.24 on
> linux-2.2.14
>
> Jean-Denis Girard
> http://www.esoft.pf
>
> ___cliff rayman___ a écrit :
>
> > $port=$r->get_server_port();
> >
> > scotta@musiciansfriend.com wrote:
> >
> > > Ok, so what is the PORT variable and how do i access it?
> > >
> > > Scott
> > > On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> > > > Not really, you can spoof both:
> > > > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> > > > d_Connec.html
> > > >
> >
> > --
> > ___cliff rayman___cliff@genwax.com___http://www.genwax.com/

Re: how to check for ssl.

Posted by Jean-Denis Girard <jd...@esoft.pf>.

For some reason (probably my error),  $r->get_server_port() always returns 80

although my mod_perl backend only listen to 8080 and 8443 (I use Listen
directives).
I'm using (sockaddr_in($r->connection->local_addr))[0] to get the port
instead.
Though it works, I must load one more module (Socket), which I would like to
avoid if
possible...

Any idea about my mistake ?

My conf: apache-1.3.12 + mod_ssl-2.3.4  <=> apache-1.3.12 + mod_perl-1.24 on
linux-2.2.14

Jean-Denis Girard
http://www.esoft.pf

___cliff rayman___ a écrit :

> $port=$r->get_server_port();
>
> scotta@musiciansfriend.com wrote:
>
> > Ok, so what is the PORT variable and how do i access it?
> >
> > Scott
> > On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> > > Not really, you can spoof both:
> > > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> > > d_Connec.html
> > >
>
> --
> ___cliff rayman___cliff@genwax.com___http://www.genwax.com/

Re: how to check for ssl.

Posted by ___cliff rayman___ <cl...@genwax.com>.

$port=$r->get_server_port();

scotta@musiciansfriend.com wrote:

> Ok, so what is the PORT variable and how do i access it?
>
> Scott
> On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> > Not really, you can spoof both:
> > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> > d_Connec.html
> >

--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/

Re: how to check for ssl.

Posted by sc...@musiciansfriend.com.

Ok, so what is the PORT variable and how do i access it?

Scott
On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> Not really, you can spoof both:
> http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> d_Connec.html
>

Re: how to check for ssl.

Posted by Stas Bekman <st...@stason.org>.

On Thu, 3 Aug 2000, Philip Mak wrote:

> On Thu, 3 Aug 2000, Stas Bekman wrote:
> 
> > > use Apache::URI ();
> > > $r->parsed_uri->scheme;
> > > 
> > > returns http or https
> > 
> > Not really, you can spoof both:
> 
> Does the user have to spoof it deliberately in order for the wrong one to
> be detected?
> 
> If spoofing requires the user to do it on purpose, then in this case the
> $r->parsed_uri->scheme should be sufficient. The other method (putting
> HTTPS on a different port and using mod_rewrite to make it transparent) is
> better of course, but in case you can't do it for some reason, I think
> this will work too.
> 
> They don't gain anything by spoofing http/https deliberately; it just
> makes their connection not secure.

Not really. Of course this is not a thing happening to you every day, but
someone can intercept the connection and spoof it for server as a secure,
while in fact Eve (the interceptor's name that usually used in crypto
docs, next to Alice and Bob) intercepts all the connections making the
user submitting information in insecure way. Think about banking... So
checking for the scheme would be Ok in 99.99999% cases, if you don't care
about the one that might be spoofed.

_____________________________________________________________________
Stas Bekman              JAm_pH     --   Just Another mod_perl Hacker
http://stason.org/       mod_perl Guide  http://perl.apache.org/guide 
mailto:stas@stason.org   http://perl.org     http://stason.org/TULARC
http://singlesheaven.com http://perlmonth.com http://sourcegarden.org

Re: how to check for ssl.

Posted by Philip Mak <pm...@aaanime.net>.

On Thu, 3 Aug 2000, Stas Bekman wrote:

> > use Apache::URI ();
> > $r->parsed_uri->scheme;
> > 
> > returns http or https
> 
> Not really, you can spoof both:

Does the user have to spoof it deliberately in order for the wrong one to
be detected?

If spoofing requires the user to do it on purpose, then in this case the
$r->parsed_uri->scheme should be sufficient. The other method (putting
HTTPS on a different port and using mod_rewrite to make it transparent) is
better of course, but in case you can't do it for some reason, I think
this will work too.

They don't gain anything by spoofing http/https deliberately; it just
makes their connection not secure.

-Philip Mak (pmak@aaanime.net)

[Mason]Re: how to check for ssl.

Posted by Tim Bishop <ti...@activespace.com>.


On Thu, 3 Aug 2000, Stas Bekman wrote:

> On Thu, 3 Aug 2000, ___cliff rayman___ wrote:
> 
> > use Apache::URI ();
> > $r->parsed_uri->scheme;
> > 
> > returns http or https
> 
> Not really, you can spoof both:
> http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
>  
> > scotta@musiciansfriend.com wrote:
> > 
> > > I've got a section of our site where I want to force the user to
> > > connect via ssl.
> > > Inside of mod_perl, is there a parameter I can grab to see whether
> > > the connection is ssl or not?  Or a way to get the port number?
> > >
> > > Scott

I had the same problem recently, where the mod_perl backend server did not
know what was happening on the front end with respect to SSL.  I solved it
in a way that is flexible, but perhaps overkill:

I patched mod_headers.c on the frontend server to allow one to attach
extra headers to requests when they are proxied to the backend.  This
allows you to stuff info in headers about SSL, or the remote-ip, etc.  
You can specify headers to set with the same substitution syntax as
RewriteRule

(The patch is attached)

example:

On the front-end server:
( cd apache_1.3.12 ; patch -p1 <ProxyHeaderRewrite.p2.patch ;make install)

in httpd.conf;
# tell upstream server the ip of the request, and pass along the Host
ProxyHeaderRewrite append X-Forwarded-For      "%{REMOTE_ADDR}" 
ProxyHeaderRewrite append X-Frontend-Host      "%{HTTP_HOST}"
# tell upstream server info on SSL status
<VirtualHost _default_:443>
    SSLOptions StdEnvVars
    ProxyHeaderRewrite append X-SSL-Cipher "%{ENV:SSL_PROTOCOL} ${ENV:SSL_CIPHER}"
</VirtualHost>
# tell upstream server the virtual host used
ProxyHeaderRewrite append X-Frontend-Host "%{HTTP:Host}"



Now, for a typical SSL request that is proxied to the back end (as
plaintext), these headers are added: 
X-Forwarded-For: 1.2.3.4
X-Frontend-Host: my.frontend.site.com
X-SSL-Cipher: SSLv3 IDEA



On the backend server, parse the headers with some little perl handler in
startup.pl, and stuff the info where most other modules expect it (in $r,
or in environment vars):

sub My::ProxyHeaderParse ($) {
   my $r = shift;

      # we'll only look at the X-Forwarded-For header if the requests
      # comes from our local network
      return OK unless ($r->connection->remote_ip =~ /^192\.168/ );

      if (my ($ip) = $r->header_in('X-Forwarded-For') =~ /([^,\s]+)$/) {
          $r->connection->remote_ip($ip);
      }

      # mv X-Frontend-Host: into Host: header
      my $host_header = $r->header_in('X-Frontend-Host');
      if ( defined($host_header) ) {
          $r->header_in('Host', $host_header)
      }

      # set up ssl env vars, if present in a X-SSL-Cipher header
      my $ssl_header = $r->header_in('X-SSL-Cipher');
      if ( defined($ssl_header) ) {
          ($ENV{SSL_PROTOCOL}, $ENV{SSL_CIPHER}) = split(/ /,$ssl_header);
          $ENV{HTTPS} = 'ON';  # CGI.pm:protocol() require 'ON'  (not 1 !)
      } 
        
   return OK;
  }

# called in httpd.conf
#  PerlPostReadRequestHandler My::ProxyHeaderParse

Re: how to check for ssl.

Posted by Stas Bekman <st...@stason.org>.

On Thu, 3 Aug 2000, ___cliff rayman___ wrote:

> use Apache::URI ();
> $r->parsed_uri->scheme;
> 
> returns http or https

Not really, you can spoof both:
http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
 


> scotta@musiciansfriend.com wrote:
> 
> > I've got a section of our site where I want to force the user to
> > connect via ssl.
> > Inside of mod_perl, is there a parameter I can grab to see whether
> > the connection is ssl or not?  Or a way to get the port number?
> >
> > I went through the archives last night and couldn't find anything
> > near this.  Am I missing something way to obvious here? I checked
> > the headers_in and nothing there would even hint that its ssl.
> >
> > Scott
> 
> --
> ___cliff rayman___cliff@genwax.com___http://www.genwax.com/
> 
> 
> 



_____________________________________________________________________
Stas Bekman              JAm_pH     --   Just Another mod_perl Hacker
http://stason.org/       mod_perl Guide  http://perl.apache.org/guide 
mailto:stas@stason.org   http://perl.org     http://stason.org/TULARC
http://singlesheaven.com http://perlmonth.com http://sourcegarden.org

Re: how to check for ssl.

Posted by ___cliff rayman___ <cl...@genwax.com>.

use Apache::URI ();
$r->parsed_uri->scheme;

returns http or https

scotta@musiciansfriend.com wrote:

> I've got a section of our site where I want to force the user to
> connect via ssl.
> Inside of mod_perl, is there a parameter I can grab to see whether
> the connection is ssl or not?  Or a way to get the port number?
>
> I went through the archives last night and couldn't find anything
> near this.  Am I missing something way to obvious here? I checked
> the headers_in and nothing there would even hint that its ssl.
>
> Scott

--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/

Re: how to check for ssl.

Posted by Vivek Khera <kh...@kciLink.com>.

>>>>> "s" == scotta  <sc...@musiciansfriend.com> writes:

s> I've got a section of our site where I want to force the user to 
s> connect via ssl.
s> Inside of mod_perl, is there a parameter I can grab to see whether 
s> the connection is ssl or not?  Or a way to get the port number?

perldoc Apache

then scan for the word "port".  First line containing it is your
answer.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                Khera Communications, Inc.
Internet: khera@kciLink.com       Rockville, MD       +1-301-545-6996
GPG & MIME spoken here            http://www.khera.org/~vivek/