You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sh...@ny.frb.org on 2003/12/16 18:55:14 UTC

[users@httpd] redirection, SSL, Internet Explorer

I wonder if somebody has faced a similar problem.

I need to redirect all unsecured connections (http) to a private section 
of our intranet to a secure connection (https). I am using 
RedirectPermanent directive to accomplish the redirection. The solution 
works fine with Mozilla Firebird. But It does not work with I.E. version 
5.50.

Using Mozilla Firebird, everything works fine:
1. user types http://hostname:88/privateArea in the location field
2. Mozilla presents user the certificate.
3. user accepts the certificate.
4. Mozilla prompts user for userid and password.
5. user enters valid userid and password.
6. as intended, request lands on https://hostname:444/privateArea  (this 
URL replaces unsecured URL in the location field of Mozilla)

Now, using I.E., if one types the same URL as above, this is what happens:
1. I.E. presents user the certificate.
2. user accepts the certificate.
3. I.E. prompts user for userid and password.
4. user enters valid userid and password.
5. I.E. respond with error page "Page cannot be displayed  ... Cannot find 
server or DNS Error" and the address field in I.E. is still 
http://hostname:88/privateArea
However, if the URL https://hostname:444/privateArea is typed directly 
into I.E., everything works fine: certificate is presented, user is 
prompted for userid/password and the intended page is shown.


Here are the relevant parts of my configuration (running apache 2.0.48 on 
Solaris 2.6):

httpd.conf file
...
Listen 88
Listen 8181
Include /path/to/ssl.conf
...
NameVirtualHost xxx.xxx.xxx:88
NameVirtualHost xxx.xxx.xxx:8181
<VirtualHost xxx.xxx.xxx:88>
      ServerName hostname:88
      DocumentRoot "/path/to/intranetDocumentRoot" 
     ...
      <Directory "/path/to/intranetPrivateArea">
              Options FollowSymLinks IncludesNOEXEC Indexes Multiviews
      </Directory> 
     Alias /privateArea "/path/to/intranetPrivateArea"
     RedirectPermanent /privateArea https://hostname:444/privateArea
</VirtualHost>
<VirtualHost xxx.xxx.xxx:8181>
     ServerName otherWebSite:8181
     DocumentRoot "/path/to/otherWebSite/documentRoot"
     ...
</VirtualHost>


ssl.conf file
...
Listen 444
...
<VirtualHost _default_:444>
      ServerName hostname:444
      DocumentRoot "/path/to/intranetDocumentRoot"
      SSLEngine on
      ...
      <Directory "/path/to/intranetPrivateArea">
              Options FollowSymLinks IncludesNOEXEC Indexes Multiviews
              Order Deny,Allow
              Allow from all
              AuthType Basic
              AuthName "Intranet Private Area"
              AuthUserFile "/path/to/password/file"
             Require valid-user
      </Directory> 
      Alias /privateArea "/path/to/intranetPrivateArea" 
</VirtualHost>

---------------------------------------------------------------------------------------------

Shen C. Yang

Information Technology Specialist
Federal Reserve Bank of New York - www.newyorkfed.org
Tel: (212) 720 2857
e-mail: shen.yang@ny.frb.org

Any comments or statements made in this transmission reflect the views of 
the sender and are not necessarily the views of the Federal Reserve Bank 
of New York.

Re: [users@httpd] redirection, SSL, Internet Explorer

Posted by Robert Andersson <ro...@profundis.nu>.
 [plain text, please...]

Shen.Yang@ny.frb.org wrote:
> Using Mozilla Firebird, everything works fine:
> 1. user types http://hostname:88/privateArea in the location field
> 2. Mozilla presents user the certificate.
> 3. user accepts the certificate.
> 4. Mozilla prompts user for userid and password.
> 5. user enters valid userid and password.
> 6. as intended, request lands on https://hostname:444/privateArea  (this
> URL replaces unsecured URL in the location field of Mozilla)

Perhaps, or perhaps not, related to your problem, but you should redirect to
the secure host before authenticating the user (prompt fot credentials).
Assuming you use Basic Authentication, over plain HTTP passwords travel in
plain text, which is one of the primary reasons to do it over HTTPS so they
get encrypted.

Regards.
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org