You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@lenya.apache.org by "Linczak, Jonathan W." <Li...@hiram.edu> on 2005/01/20 21:55:00 UTC
SSL and Lenya - still a no-go
Hi guys,
I've been reading over the documentation in the HowtoModProxy doc, and I have to admit that it isn't very clear, nor straight-forward. So, I come here in the hopes someone can look at my thought process and see where I am screwing up, because I can't seem to get Lenya to realize that a page has been marked as SSL Encrypted and redirect appropriately.
Here's a general example:
My authoring site is at http://www.company.com:8080/lenya/ (yes, it is *not* being mod-proxied).
My live website is at http://www.company.com/ (yes, there's no /lenya afterwards - which means the session cookie is not right, I know).
My publication for which I am publishing is the "default" publication.
Steps to get SSL working:
1. Edit pubs/default/config/publication.xconf to add the following 2 lines (remember, authoring server is not being mod-proxied):
<proxy area="live" ssl="true" url="https://www.company.com/"/>
<proxy area="live" ssl="false" url="http://www.company.com/"/>
2. Go to one of my pages in the default publication, click on the Site tab, then on the AC Live tab, and check the box that says SSL Encryption. The box should be checked automatically for all descendant documents.
3. Just for the heck of it (I don't know if I need it or not), I restart Lenya.
4. I create the following two virtualhost entries in Apache's configuration file:
NameVirtualHost 999.999.999.999:80
<VirtualHost 999.999.999.999:80>
ServerName www.company.com
CustomLog logs/www_access_log combined
ErrorLog log/www_error_log
ProxyRequests Off
RewriteEngine On
RewriteLog "/path/to/logs/www.company.com.log"
RewriteLogLevel 1
# Serve static images and CSS
RewriteRule ^/images/?(.*) $0 [L]
RewriteRule ^/css/?(.*) $0 [L]
# Rewrite URLs for default pub
RewriteRule ^/$ /index.html [R]
RewriteRule ^/lenya/default/live/(.*)$ /$1 [R,L]
RewriteRule ^/(.*) http://www.company.com:8080/lenya/default/live/$1 [P]
ProxyPassReverse / http://www.company.com:8080/
</VirtualHost>
<VirtualHost 999.999.999.999:443>
ServerName www.company.com
ErrorLog log/www-ssl_error_log
# Some SSL directives here
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /path/to/conf/ssl.crt/server.crt
SSLCertificateKeyFile /path/to/conf/ssl.key/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/path/to/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/www-ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# End SSL directives
ProxyRequests Off
RewriteEngine On
RewriteLog "/path/to/logs/www-ssl.company.com.log"
RewriteLogLevel 1
# Serve static images and CSS
RewriteRule ^/images/?(.*) $0 [L]
RewriteRule ^/css/?(.*) $0 [L]
# Rewrite URLs for default pub
RewriteRule ^/$ /index.html [R]
RewriteRule ^/lenya/default/live/(.*)$ /$1 [R,L]
RewriteRule ^/(.*) http://www.company.com:8080/lenya/default/live/$1 [P]
ProxyPassReverse / http://www.company.com:8080/
</VirtualHost>
5. I restart Apache, and everything comes up ok. For a test, I go to https://www.company.com/ and lo and behold, I get an SSL encrypted page just fine.
6. I go back to http://www.company.com/ and browse to the page I marked in step 2 as SSL encrypted. The page should, but does not redirect to an SSL encrypted page. I instead get the page unencrypted.
Ok, all, so what's up? This seems to follow closely to the documentation, but I can't seem to get it to work. I would have thought maybe I would get an error or something, but it seems it completely ignores it. Can someone enlighten me?
Jon
Re: SSL and Lenya - still a no-go
Posted by Jochen Seifarth <Jo...@web.de>.
Gregor J. Rothfuss <gregor <at> apache.org> writes:
>
> Linczak, Jonathan W. wrote:
>
> > 6. I go back to http://www.company.com/ and browse to the page I marked in
step 2 as SSL encrypted. The page
> should, but does not redirect to an SSL encrypted page. I instead get the
page unencrypted.
>
> you performed all the steps correctly.
>
> this is actually a shortcoming of the current implementation. lenya does
> not check the referer to determine how the request came in. one way to
> tackle this is to put secure pages on a different subdomain:
>
> <proxy area="live" ssl="true" url="https://secure.company.com/"/>
> <proxy area="live" ssl="false" url="http://www.company.com/"/>
>
> longer-term, we need a better solution for this.
>
.....if you are really desparate and want to use the same sub-domain you could
use mod_proxy_html to re-write those http:// links to https:// I guess...
see http://apache.webthing.com/mod_proxy_html/
But beware there are a few catches, e.g. you lose the DOCTYPE and have to set it
with the "ProxyHTMLDoctype HTML", etc.. In short the config would be something
like the below in addtion to what you already have for your SSL server:
LoadFile /usr/lib/libxml2.so.2
SetOutputFilter proxy-html
ProxyHTMLDoctype HTML
ProxyHTMLExtended On
ProxyHTMLMeta On
ProxyHTMLURLMap http://www.company.com/ https://www.company.com/
(add some regexps ord woildcards to ctach all links)
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: SSL and Lenya - still a no-go
Posted by "Gregor J. Rothfuss" <gr...@apache.org>.
Linczak, Jonathan W. wrote:
> 6. I go back to http://www.company.com/ and browse to the page I marked in step 2 as SSL encrypted. The page should, but does not redirect to an SSL encrypted page. I instead get the page unencrypted.
you performed all the steps correctly.
this is actually a shortcoming of the current implementation. lenya does
not check the referer to determine how the request came in. one way to
tackle this is to put secure pages on a different subdomain:
<proxy area="live" ssl="true" url="https://secure.company.com/"/>
<proxy area="live" ssl="false" url="http://www.company.com/"/>
longer-term, we need a better solution for this.
--
Gregor J. Rothfuss
COO, Wyona Content Management Solutions http://wyona.com
Apache Lenya http://lenya.apache.org
gregor.rothfuss@wyona.com gregor@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org