You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Joshua Gerth <jg...@ptdcs2.ra.intel.com> on 2000/12/27 20:06:43 UTC
http -> https for authentication
Howdy,
So, I am running a mod_perl/mod_ssl enabled Apache web server.
The home page (and several other unprotected pages) need to listen on both
the encrypted port 443 and non-encrypted port 80. However, I would like
to force all authentication requests to go through the encrypted side so
the passwords is never passed in plain text.
In the past I have done this by adding a mod_rewrite for each area
which I knew was protected. Is there any way I can do this in a more
dynamic fashion?
Thanks,
Joshua
-----------------------------------------------------------------------
Joshua M. Gerth You can tune a file system,
jgerth@ptdcs2.intel.com but you can't tune a fish.
503.613.8070
RA2.4.H13 - man page for 'tunefs' on HPUX
LTD North Design
-----------------------------------------------------------------------
Re: http -> https for authentication
Posted by Dan Riley <ds...@mail.lns.cornell.edu>.
Joshua Gerth <jg...@ptdcs2.ra.intel.com> writes:
> So, I am running a mod_perl/mod_ssl enabled Apache web server.
> The home page (and several other unprotected pages) need to listen on both
> the encrypted port 443 and non-encrypted port 80. However, I would like
> to force all authentication requests to go through the encrypted side so
> the passwords is never passed in plain text.
We do this via an old-fashioned 403 handler on the unencrypted side
that returns a 302 redirect to an https URL. The vhost for the
encrypted side overrides the 403 handler with our standard handler.
--
Dan Riley dsr@mail.lns.cornell.edu
Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/>
"History teaches us that days like this are best spent in bed"
Re: http -> https for authentication
Posted by Ask Bjoern Hansen <as...@valueclick.com>.
On Wed, 27 Dec 2000, Stas Bekman wrote:
> You are having front/end-back setup, right? If so:
> http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
I use something like
RewriteCond %\{SERVER_PORT\} ^443$
RewriteRule ^/appname(.*) http://localhost:1234/appname?secure=1 [P,QSA,L]
and then the app can just look at the "secure" parameter.
- ask
--
ask bjoern hansen - <http://ask.netcetera.dk/>
more than 70M impressions per day, <http://valueclick.com>
Re: http -> https for authentication
Posted by Joshua Gerth <jg...@ptdcs2.ra.intel.com>.
Hey Stas,
> > So, I am running a mod_perl/mod_ssl enabled Apache web server.
> > The home page (and several other unprotected pages) need to listen on both
> > the encrypted port 443 and non-encrypted port 80. However, I would like
> > to force all authentication requests to go through the encrypted side so
> > the passwords is never passed in plain text.
> >
> > In the past I have done this by adding a mod_rewrite for each area
> > which I knew was protected. Is there any way I can do this in a more
> > dynamic fashion?
>
> You are having front/end-back setup, right? If so:
> http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
Actually no, we had not yet setup the frontend/backend thing yet. I was
more hoping we could do this with either a
PerlTransHandler
or by adding logic to my Apache::Authen handler. Any hope, or do we need
to go to the frontend/backend setup to do this?
Thanks,
Joshua
Re: http -> https for authentication
Posted by Stas Bekman <st...@stason.org>.
On Wed, 27 Dec 2000, Joshua Gerth wrote:
>
> Howdy,
>
> So, I am running a mod_perl/mod_ssl enabled Apache web server.
> The home page (and several other unprotected pages) need to listen on both
> the encrypted port 443 and non-encrypted port 80. However, I would like
> to force all authentication requests to go through the encrypted side so
> the passwords is never passed in plain text.
>
> In the past I have done this by adding a mod_rewrite for each area
> which I knew was protected. Is there any way I can do this in a more
> dynamic fashion?
You are having front/end-back setup, right? If so:
http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
>
> Thanks,
> Joshua
>
>
> -----------------------------------------------------------------------
> Joshua M. Gerth You can tune a file system,
> jgerth@ptdcs2.intel.com but you can't tune a fish.
> 503.613.8070
> RA2.4.H13 - man page for 'tunefs' on HPUX
> LTD North Design
> -----------------------------------------------------------------------
>
>
>
>
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:stas@stason.org http://apachetoday.com http://logilune.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
Re: http -> https for authentication
Posted by Michael <mi...@bizsystems.com>.
>
> Howdy,
>
> So, I am running a mod_perl/mod_ssl enabled Apache web server. The
> home page (and several other unprotected pages) need to listen on
> both the encrypted port 443 and non-encrypted port 80. However, I
> would like to force all authentication requests to go through the
> encrypted side so the passwords is never passed in plain text.
>
> In the past I have done this by adding a mod_rewrite for each area
> which I knew was protected. Is there any way I can do this in a
> more dynamic fashion?
>
Well,,..... this may not be elegant, but I use a straight forward
approach of using an include config file for the use that is
identical for both port 80 and 443. The login.pl file on the port 80
side simply redirects to https:URL passing a variable that indicates
the original target to the real login script. After the login the
script returns to the target as it would normally. This is pretty
simple at least for me as nothing differs except the two login.pl
scripts.
Michael@Insulin-Pumpers.org