SSL and Lenya - still a no-go

["Linczak, Jonathan W." <Li...@hiram.edu>]

Hi guys,

I've been reading over the documentation in the HowtoModProxy doc, and I have to admit that it isn't very clear, nor straight-forward.  So, I come here in the hopes someone can look at my thought process and see where I am screwing up, because I can't seem to get Lenya to realize that a page has been marked as SSL Encrypted and redirect appropriately.

Here's a general example:

My authoring site is at http://www.company.com:8080/lenya/ (yes, it is *not* being mod-proxied).

My live website is at http://www.company.com/ (yes, there's no /lenya afterwards - which means the session cookie is not right, I know).

My publication for which I am publishing is the "default" publication.

Steps to get SSL working:

1.  Edit pubs/default/config/publication.xconf to add the following 2 lines (remember, authoring server is not being mod-proxied):

<proxy area="live" ssl="true" url="https://www.company.com/"/>
<proxy area="live" ssl="false" url="http://www.company.com/"/>

2.  Go to one of my pages in the default publication, click on the Site tab, then on the AC Live tab, and check the box that says SSL Encryption.  The box should be checked automatically for all descendant documents.

3.  Just for the heck of it (I don't know if I need it or not), I restart Lenya.

4.  I create the following two virtualhost entries in Apache's configuration file:

NameVirtualHost 999.999.999.999:80

<VirtualHost 999.999.999.999:80>
  ServerName www.company.com

  CustomLog logs/www_access_log combined
  ErrorLog log/www_error_log

  ProxyRequests Off
  RewriteEngine On
  RewriteLog "/path/to/logs/www.company.com.log"
  RewriteLogLevel 1

  # Serve static images and CSS
  RewriteRule ^/images/?(.*) $0 [L]
  RewriteRule ^/css/?(.*) $0 [L]

  # Rewrite URLs for default pub
  RewriteRule ^/$ /index.html [R]
  RewriteRule ^/lenya/default/live/(.*)$ /$1 [R,L]
  RewriteRule ^/(.*) http://www.company.com:8080/lenya/default/live/$1 [P]

  ProxyPassReverse / http://www.company.com:8080/
</VirtualHost>

<VirtualHost 999.999.999.999:443>
  ServerName www.company.com

  ErrorLog log/www-ssl_error_log

  # Some SSL directives here
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLCertificateFile /path/to/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /path/to/conf/ssl.key/server.key

  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
  </Files>

  <Directory "/path/to/cgi-bin">
    SSLOptions +StdEnvVars
  </Directory>

  SetEnvIf User-Agent ".*MSIE.*" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0

  CustomLog logs/www-ssl_access_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  # End SSL directives

  ProxyRequests Off
  RewriteEngine On
  RewriteLog "/path/to/logs/www-ssl.company.com.log"
  RewriteLogLevel 1

  # Serve static images and CSS
  RewriteRule ^/images/?(.*) $0 [L]
  RewriteRule ^/css/?(.*) $0 [L]

  # Rewrite URLs for default pub
  RewriteRule ^/$ /index.html [R]
  RewriteRule ^/lenya/default/live/(.*)$ /$1 [R,L]
  RewriteRule ^/(.*) http://www.company.com:8080/lenya/default/live/$1 [P]

  ProxyPassReverse / http://www.company.com:8080/
</VirtualHost>

5.  I restart Apache, and everything comes up ok.  For a test, I go to https://www.company.com/ and lo and behold, I get an SSL encrypted page just fine.

6.  I go back to http://www.company.com/ and browse to the page I marked in step 2 as SSL encrypted.  The page should, but does not redirect to an SSL encrypted page.  I instead get the page unencrypted.


Ok, all, so what's up?  This seems to follow closely to the documentation, but I can't seem to get it to work.  I would have thought maybe I would get an error or something, but it seems it completely ignores it.  Can someone enlighten me?

Jon

Re: SSL and Lenya - still a no-go

[Jochen Seifarth <Jo...@web.de>]

Gregor J. Rothfuss <gregor <at> apache.org> writes:

> 
> Linczak, Jonathan W. wrote:
> 
> > 6.  I go back to http://www.company.com/ and browse to the page I marked in
step 2 as SSL encrypted.  The page
> should, but does not redirect to an SSL encrypted page.  I instead get the
page unencrypted.
> 
> you performed all the steps correctly.
> 
> this is actually a shortcoming of the current implementation. lenya does 
> not check the referer to determine how the request came in. one way to 
> tackle this is to put secure pages on a different subdomain:
> 
> <proxy area="live" ssl="true" url="https://secure.company.com/"/>
> <proxy area="live" ssl="false" url="http://www.company.com/"/>
> 
> longer-term, we need a better solution for this.
> 

.....if you are really desparate and want to use the same sub-domain you could
use mod_proxy_html to re-write those http:// links to https:// I guess...
see http://apache.webthing.com/mod_proxy_html/

But beware there are a few catches, e.g. you lose the DOCTYPE and have to set it
with the "ProxyHTMLDoctype HTML", etc.. In short the config would be something
like the below in addtion to what you already have for your SSL server:

        LoadFile   /usr/lib/libxml2.so.2
        
        SetOutputFilter proxy-html
        ProxyHTMLDoctype HTML
        ProxyHTMLExtended On
        ProxyHTMLMeta On
        
        ProxyHTMLURLMap http://www.company.com/ https://www.company.com/
(add some regexps ord woildcards to ctach all links)







---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org

Re: SSL and Lenya - still a no-go

["Gregor J. Rothfuss" <gr...@apache.org>]

Linczak, Jonathan W. wrote:

> 6.  I go back to http://www.company.com/ and browse to the page I marked in step 2 as SSL encrypted.  The page should, but does not redirect to an SSL encrypted page.  I instead get the page unencrypted.

you performed all the steps correctly.

this is actually a shortcoming of the current implementation. lenya does 
not check the referer to determine how the request came in. one way to 
tackle this is to put secure pages on a different subdomain:

<proxy area="live" ssl="true" url="https://secure.company.com/"/>
<proxy area="live" ssl="false" url="http://www.company.com/"/>

longer-term, we need a better solution for this.

-- 
Gregor J. Rothfuss
COO, Wyona       Content Management Solutions    http://wyona.com
Apache Lenya                              http://lenya.apache.org
gregor.rothfuss@wyona.com                       gregor@apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org