You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "sieger007@gmail.com" <si...@gmail.com> on 2009/11/02 02:30:36 UTC
[users@httpd] Apache on F11. ANY APPROACH ?excluding images pdfs etc from Https (
ssl ) routing
Hi Folks
- I am a squat on advanced Apache work. I would get a basic SSL
functionality to work.
So https://foobar.com works fine and gets me all the login windows I
designed. however currently all the images and other extensions like .pdf
are also using the https routing.
some image referred on that https link
e.g. https://foobar.com/loginhere.jpeg c
can be displayed using https but not http
I would like to JUST limit https usage to the login window html and ALL
other images pdf's not secured html ( one that do not need password ) should
use HTTP NOT HTTPS
What I cannot really find ( and Apache modules make a graduate course , as I
am realizing with all the futile digging in ) is HOW do I tell apache that
if you find an image file ( .jpeg or .pdf ) if it comes to https convert all
that into http .Has that something to do with rewrite or redirect modules .
- Another thing is that http : // foobar.login.html should redirect to
https : // foobar.login.html
however http : // foobar.login.html will not show up at all. How do I
achieve this .
Thanks again
Re: [users@httpd] Apache on F11. ANY APPROACH ?excluding images pdfs
etc from Https ( ssl ) routing
Posted by "sieger007@gmail.com" <si...@gmail.com>.
Yes .Probably not worth all the trouble if its going around catching my left
ear with the right hand.
On Mon, Nov 2, 2009 at 1:02 AM, Mark Watts <m....@eris.qinetiq.com> wrote:
> On Sun, 2009-11-01 at 17:30 -0800, sieger007@gmail.com wrote:
> > Hi Folks
> > * I am a squat on advanced Apache work. I would get a basic SSL
> > functionality to work.
> > So https://foobar.com works fine and gets me all the login windows I
> > designed. however currently all the images and other extensions
> > like .pdf are also using the https routing.
> > some image referred on that https link
> > e.g. https://foobar.com/loginhere.jpeg c
> > can be displayed using https but not http
>
> Don't do this.
>
> Either serve it all up through SSL or don't use SSL at all.
> Reason being, many browsers (particularly those from Redmond) will
> confuse the user with requests to load "insecure items" when they
> encounter <img src=http://example.com/foo.jpg> tags and suchlike.
>
> Mark.
>
> --
> Mark Watts BSc RHCE MBCS
> Senior Systems Engineer, Managed Services Manpower
> www.QinetiQ.com
> QinetiQ - Delivering customer-focused solutions
> GPG Key: http://www.linux-corner.info/mwatts.gpg
>
Re: [users@httpd] Apache on F11. ANY APPROACH ?excluding images
pdfs etc from Https ( ssl ) routing
Posted by Mark Watts <m....@eris.qinetiq.com>.
On Sun, 2009-11-01 at 17:30 -0800, sieger007@gmail.com wrote:
> Hi Folks
> * I am a squat on advanced Apache work. I would get a basic SSL
> functionality to work.
> So https://foobar.com works fine and gets me all the login windows I
> designed. however currently all the images and other extensions
> like .pdf are also using the https routing.
> some image referred on that https link
> e.g. https://foobar.com/loginhere.jpeg c
> can be displayed using https but not http
Don't do this.
Either serve it all up through SSL or don't use SSL at all.
Reason being, many browsers (particularly those from Redmond) will
confuse the user with requests to load "insecure items" when they
encounter <img src=http://example.com/foo.jpg> tags and suchlike.
Mark.
--
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg
Re: [users@httpd] Apache on F11. ANY APPROACH ?excluding images pdfs
etc from Https ( ssl ) routing
Posted by André Warnier <aw...@ice-sa.com>.
sieger007@gmail.com wrote:
> Hi Folks
>
> - I am a squat on advanced Apache work. I would get a basic SSL
> functionality to work.
>
> So https://foobar.com works fine and gets me all the login windows I
> designed. however currently all the images and other extensions like .pdf
> are also using the https routing.
> some image referred on that https link
> e.g. https://foobar.com/loginhere.jpeg c
> can be displayed using https but not http
> I would like to JUST limit https usage to the login window html and ALL
> other images pdf's not secured html ( one that do not need password ) should
> use HTTP NOT HTTPS
> What I cannot really find ( and Apache modules make a graduate course , as I
> am realizing with all the futile digging in ) is HOW do I tell apache that
> if you find an image file ( .jpeg or .pdf ) if it comes to https convert all
> that into http .Has that something to do with rewrite or redirect modules .
>
I think there is something basic which you should understand first :
Apache does not "decide" to send this or that via HTTPS.
Apache responds to a request from the browser. If the browser requests
an object with a https://.. URL, then Apache will respond that way. If
the browser requests an object using a http://... URL, then Apache will
respond that way.
In other words, you have to make sure, in the pages *you* send back to
the browser, that the links, from the browser point of view, evaluate to
"http://.." and not "https://..".
Let me give you a simplified example.
1) The browser initially requests a page from the server, using (e.g.) a
URL like
https://server.mycompany.com/login-page.html
That means that this browser is
a) setting up a https connection to "server.mycompany.com"
b) on that connection, sending a request for host
"server.mycompany.com" and page "/login-page.html"
2) the server sends back the page, on the same https connection.
(Note that the connection is the one initiated by the browser. The
server never initiates a connection to the browser. It just responds on
the same connection which the browser has set up).
3) in that page, are links like :
<img src="/images/myimage.gif">
4) the browser is going to "evaluate" these URLs, make them into "full"
URLs, and then send new requests for those objects to the server.
In this case, the browser see that the URL is missing a protocol and a
servername, so it will add them first.
What will it add ?
It will take the protocol and the servername from which this page
(login-page) has "arrived". In other words, *the browser* here will take
the URL "/images/myimage.gif", and add the protocol and the server, to give
"https://server.mycompany.com/images/myimage.gif", and then *the
browser* will requests this URL from the server.
5) the server gets this request and answers appropriately.
If, instead, the links to the images, in the page login-page.html, had
been like
<img src="http://myserver.company.com/images/myimage.gif">
then the browser would request this image on a non-https channel, and
the server would respond on that non-https channel.
In other words, what happens is basically your problem, not Apache's.
The above is the simple way.
There are other, less efficient ways.
You can arrange, at the server level, that when it receives a request
for "https://server.company.com/images/something", it would *send a
REDIRECT response* to the browser, telling the browser essentially :
hey, that's the wrong address for that thing, please use this one instead.
That is called a 301 response, and you can do that with mod_rewrite.
The browser, when it receives this message, will then automatically
initiate a *new connection* with the server, and re-request the same
object using the URL which the 301 Apache response contained.
But consider that it is always less efficient than sending the correct
link in the page in the first place, because you need a first request to
the server, a server response, then a new request from the browser to
the server before you get your image.
What Apache cannot do, at level (5) above, in the middle of the
conversation, is decide to change the protocol of the connection from
HTTPS to HTTP. That would break the existing connection. And how would
the browser know that it suddenly is going to receive a response on a
new connection, set up by the server ?
That is not how HTTP works.
And that is also why you do not find anything that replies to your
question in the Apache documentation or code : because, from a HTTP
protocol point of view, it does not make any sense, so it's just not there.
Yes ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache on F11. ANY APPROACH ?excluding images pdfs
etc from Https ( ssl ) routing
Posted by "sieger007@gmail.com" <si...@gmail.com>.
Hi Folks
Thanks a lot
Can someone please point me to some examples of mod_rewrite where
images, pdf' and other non html files get re-directed to http instead of
https
I tried this :
more /etc/httpd/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_PORT} 443
RewriteRule .*.(gif|GIF|jpg|JPG|JPEG|jpeg|png|PNG|PDF|pdf|DOC|doc|txt|TXT)$
http://$1 [PT]
</IfModule>
but https : // foobar.jpg is not redirected to http : // foobar.jpg
more /etc/httpd/conf/httpd.conf | grep -i "root"
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "/etc/httpd" will be interpreted by the
# ServerRoot: The top of the directory tree under which the server's
ServerRoot "/etc/httpd"
# httpd as root initially and it will switch.
ServerAdmin root@localhost
# DocumentRoot: The directory out of which you will serve your
DocumentRoot "/var/www/html"
# This should be changed to whatever you set DocumentRoot to.
# CacheRoot "/var/cache/mod_proxy"
# DocumentRoot /www/docs/dummy-host.example.com
I know I am missing something here and all you folks who know mod_rewrite
out there have really graduated in apache.I created that .htaccess in the
Documentroot and server-root path both
So please tell me what am I missing
Thanks
Sam
2009/11/1 Iñigo Medina García <im...@grosshat.com>
> I would like to JUST limit https usage to the login window html and ALL
>> other images pdf's not secured html
>> ( one that do not need password ) should use HTTP NOT HTTPS
>> What I cannot really find ( and Apache modules make a graduate course , as
>> I am realizing with all the
>> futile digging in ) is HOW do I tell apache that if you find an image file
>> ( .jpeg or .pdf ) if it comes to
>> https convert all that into http .Has that something to do with rewrite or
>> redirect modules .
>>
>
> Yep. At least that is the way I do it, using rewrite.
>
> Once you start Apache as a secure server all the content is served through
> secure layer. With rewrite sentences you can override that.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Apache on F11. ANY APPROACH ?excluding images pdfs
etc from Https ( ssl ) routing
Posted by Iñigo Medina García <im...@grosshat.com>.
> I would like to JUST limit https usage to the login window html and ALL other images pdf's not secured html
> ( one that do not need password ) should use HTTP NOT HTTPS
> What I cannot really find ( and Apache modules make a graduate course , as I am realizing with all the
> futile digging in ) is HOW do I tell apache that if you find an image file ( .jpeg or .pdf ) if it comes to
> https convert all that into http .Has that something to do with rewrite or redirect modules .
Yep. At least that is the way I do it, using rewrite.
Once you start Apache as a secure server all the content is served through
secure layer. With rewrite sentences you can override that.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org