You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Minnesota Slinky <mn...@gmail.com> on 2005/07/02 19:53:05 UTC
[users@httpd] SSL and redirects...
Hello List,
I just joined, as I've had little need for assistance because my web
servers have always been relatively vanilla in configuration.
Today, I'm trying to get SSL setup on my apache2 web server. This
has gone extremely well. The hard part for me is forcing people to
use a website in the SSL mode, rather than just plain old text.
There's a few problems. The people using this site are not going to
remember to enter https:// with they type the site name. Also, this
particular site is based almost entirely on phpBB, which has many
references to the full website address, including the http:// at the
beginning.
Here's what I need from you:
1) I have determined that the best way to combat this is through the
rewrite engine. I currently have the following as part of that
virtual host:
ReWriteEngine On
ReWriteRule ^/(.*) https://www.mysite.com$1 [R,L]
This works fairly well, unless the link within phpBB contains the
full http://i-want-to-go-here.com/mypage/here.html What gives? The
documentation was not easy for me to understand, so my rule is
probably pretty bad. I'm guessing there is some way to filter this
based on the ReWriteCond HTTPS=off or something. Help please?
2) Windows and Internet Explorer seem to continuously give errors
about only some parts of the page being secure, etc. I'm assuming
this error will go away as soon as you folks help me correct my
syntax in the above statement.
Thanks GREATLY in advance.
_______________________________________________________
Eric F Crist "I am so smart, S.M.R.T!"
Secure Computing Networks -Homer J Simpson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL and redirects...
Posted by Joshua Slive <js...@gmail.com>.
On 7/2/05, Minnesota Slinky <mn...@gmail.com> wrote:
> 1) I have determined that the best way to combat this is through the
> rewrite engine. I currently have the following as part of that
> virtual host:
>
> ReWriteEngine On
> ReWriteRule ^/(.*) https://www.mysite.com$1 [R,L]
>
> This works fairly well, unless the link within phpBB contains the
> full http://i-want-to-go-here.com/mypage/here.html What gives? The
> documentation was not easy for me to understand, so my rule is
> probably pretty bad. I'm guessing there is some way to filter this
> based on the ReWriteCond HTTPS=off or something. Help please?
This doesn't even need mod_rewrite. All you need is to have a port-80
vitual host that catches all the non-ssl requests and put
Redirect / http://www.mysite.com/
inside that <VirtualHost> section.
> 2) Windows and Internet Explorer seem to continuously give errors
> about only some parts of the page being secure, etc. I'm assuming
> this error will go away as soon as you folks help me correct my
> syntax in the above statement.
Unlikely. If the page contains references to insecure items
(http://...), then the browser will probably complain regardless of
whether or not those items wind up getting redirected to secure
locations. Actually, it *must* complain, because the insecure initial
request could easily be intercepted and redirected by an attacker,
which means the whole page winds up being insecure.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org