You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@lenya.apache.org by Jonathan Linczak <li...@hiram.edu> on 2005/07/05 20:00:45 UTC
Problem with authoring mod_proxy setup
Hi all,
I'm having a bit of a problem with a mod_proxy setup on my authoring
environment (I know, I know, didn't I write an article about this
stuff??) and I was hoping someone could check it out for me. I
followed all the documentation and I can't seem to get it to work.
Last time I mentioned this it was because of an inherent problem with
hard-coding the lenya directory somewhere, but I'm curious to hear if
this was fixed.
Anyway, splitting up authoring environment on one server, live on
another. Would like http://lenya.company.com/ on authoring server,
http://www.company.com/ on live server. Here's my Apache setup for
authoring (values changed to protect the innocent):
<VirtualHost 999.999.999.99:80>
ServerName lenya.company.com
ServerAlias lenya
# All content should be served by Jetty (i.e. Lenya) as this is the
# Authoring environment
ProxyRequests Off
RewriteEngine On
RewriteLog logs/lenya.company.com.rewrite.log
RewriteLogLevel 0
RewriteRule ^/([^/\.]+)$ $1/ [R]
RewriteRule ^/([^/\.]+)/$
http://lenya.compnay.com/$1/authoring/index.html [R,L]
# Should there be a usecase login, then we redirect the user to the
SSL
# portion of the authoring site
RewriteCond %{QUERY_STRING} lenya\.usecase=login(.*)
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
# This takes care of all pages
RewriteRule ^/(.*) http://lenya.company.com:8080/$1 [P,L]
ProxyPassReverse / http://lenya.company.com:8080/
</VirtualHost>
<VirtualHost 999.999.999.999:443>
ServerName lenya.company.com
ServerAlias lenya
# SSL settings to go here
# ..
#
ProxyRequests Off
RewriteEngine On
RewriteRule ^/([^/\.]+)$ $1/ [R]
RewriteRule ^/([^/\.]+)/$
http://lenya.company.com/$1/authoring/index.html [R,L]
RewriteRule ^/(.*) http://%{SERVER_NAME}:8080/$1 [P,L]
ProxyPassReverse / http://lenya.company.com:8080/
</VirtualHost>
This is pretty much spot-on to the documentation found here:
http://lenya.apache.org/1_2_x/components/deployment/proxying.html. I
then setup my publication.xconf file thusly:
<proxy area="live" ssl="true" url="https://www.company.com/pub-name"/>
<proxy area="live" ssl="false" url="http://www.company.com/pub-name"/>
<proxy area="authoring" ssl="true"
url="https://lenya.company.com/pub-name/authoring"/>
<proxy area="authoring" ssl="false"
url="http://lenya.company.com/pub-name/authoring"/>
So, I go to lenya.company.com and loads up great. I try to login to a
publication and it switches over to SSL. Sweet. It's the after-login
part that has me stumped. It continues to stay in SSL, even though it
should be reverting back to non-SSL. Anyone have any ideas as to why
this is happening? Is that bug I mentioned rearing its ugly head?
Thanks for any help you can pass along.
Jon
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Problem with authoring mod_proxy setup
Posted by Jann Forrer <ja...@id.unizh.ch>.
On Tue, 12 Jul 2005, Jonathan Linczak wrote:
> On Jul 12, 2005, at 11:42 AM, Jann Forrer wrote:
>
> > On Tue, 5 Jul 2005, Jonathan Linczak wrote:
> >
[ ... ]
> >
> > We did define our proxy settings in publication.xconf as e.g.
> >
> > <proxy url="http://lenya.company.com/lenya/publicationName/authoring"
> > ssl="false" area="authoring"/>
> >
> > In that case you will have http links in your authoring area and as
> > soon
> > as you use such a link you will switch back to http. However, this
> > will only
> > partially solve your problem because if you switch to the site or admin
> > area direct after login you will still use https.
> > A proper solution would be to define a RewriteRule in the apache
> > configuration (VirtualHost :443) which redirects you to http.
>
> Hi Jann,
>
> Thanks for the reply. I'm a bit confused - it's sounds like you are
> saying to remove the entry for SSL in the authoring environment in my
> publication.xconf. So would that mean my configuration would now just
> look like this?:
>
> <proxy area="live" ssl="true" url="https://www.company.com/pub-name"/>
> <proxy area="live" ssl="false" url="http://www.company.com/pub-name"/>
> <proxy area="authoring" ssl="false"
> url="http://lenya.company.com/pub-name/authoring"/>
>
Sorry for the confusing answer. But certainly you should have also have a
proxy defined for authoring and ssl like:
<proxy area="live" ssl="true" url="https://www.company.com/pub-name"/>
<proxy area="live" ssl="false" url="http://www.company.com/pub-name"/>
<proxy area="authoring" ssl="false" url="http://lenya.company.com/pub-name/authoring"/>
<proxy area="authoring" ssl="true" url="https://lenya.company.com/pub-name/authoring"/>
In that case your will have https url's only if you define your node as
ssl encrypted in the AC_Auth tab all other url's will use http. That
simply means that the switch to http happens as soon as you click on a non
ssl encrypted node (url).
> If so, I did this, restarted Lenya, and there's no change.
I did not understand that. Do you mean that all ulr in your authroing area
have the https prefix?
> It seems
> your example is based off Tomcat since you have the /lenya/ directory
> included. We switched over to Jetty and are running out of the root
> context in Jetty. I remember something about Lenya having the /lenya/
> directory hard-coded someplace so that Jetty couldn't work in this
> situation. As a matter of fact, I wrote about it in one of my
> articles. Is this still the case?
>
As far as i know, yes.
>
> Also, I'm a bit confused on the RewriteRule to redirect back to HTTP.
> In the rule for port 443, I have:
>
I have no RewriteRule to switch back to http in :443 configuration yet. As
I mentioned above i did not care about that because it should happen if
go to an non ssl encrypted page (unless you directly go to the admin or
site area).
BTW you can check that behaviour on
http://cms.unizh.ch/sandbox
After login you will stay on https but if you click e.g. on "Studium" you
will be switched to http.
Probably all is even more confusing after this explanation ;-)
[ ... ]
Jann
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Problem with authoring mod_proxy setup
Posted by Jonathan Linczak <li...@hiram.edu>.
On Jul 12, 2005, at 11:42 AM, Jann Forrer wrote:
> On Tue, 5 Jul 2005, Jonathan Linczak wrote:
>
>> Hi all,
>>
>> I'm having a bit of a problem with a mod_proxy setup on my authoring
>> environment (I know, I know, didn't I write an article about this
>> stuff??) and I was hoping someone could check it out for me. I
>> followed all the documentation and I can't seem to get it to work.
>> Last time I mentioned this it was because of an inherent problem with
>> hard-coding the lenya directory somewhere, but I'm curious to hear if
>> this was fixed.
>>
>> Anyway, splitting up authoring environment on one server, live on
>> another. Would like http://lenya.company.com/ on authoring server,
>> http://www.company.com/ on live server. Here's my Apache setup for
>> authoring (values changed to protect the innocent):
>>
>
> [ ... ]
>
>>
>> So, I go to lenya.company.com and loads up great. I try to login to a
>> publication and it switches over to SSL. Sweet. It's the after-login
>> part that has me stumped. It continues to stay in SSL, even though it
>> should be reverting back to non-SSL. Anyone have any ideas as to why
>> this is happening? Is that bug I mentioned rearing its ugly head?
>> Thanks for any help you can pass along.
>>
>
> The response is a little bit late but i was in holiday for one week :-)
>
> We did define our proxy settings in publication.xconf as e.g.
>
> <proxy url="http://lenya.company.com/lenya/publicationName/authoring"
> ssl="false" area="authoring"/>
>
> In that case you will have http links in your authoring area and as
> soon
> as you use such a link you will switch back to http. However, this
> will only
> partially solve your problem because if you switch to the site or admin
> area direct after login you will still use https.
> A proper solution would be to define a RewriteRule in the apache
> configuration (VirtualHost :443) which redirects you to http.
Hi Jann,
Thanks for the reply. I'm a bit confused - it's sounds like you are
saying to remove the entry for SSL in the authoring environment in my
publication.xconf. So would that mean my configuration would now just
look like this?:
<proxy area="live" ssl="true" url="https://www.company.com/pub-name"/>
<proxy area="live" ssl="false" url="http://www.company.com/pub-name"/>
<proxy area="authoring" ssl="false"
url="http://lenya.company.com/pub-name/authoring"/>
If so, I did this, restarted Lenya, and there's no change. It seems
your example is based off Tomcat since you have the /lenya/ directory
included. We switched over to Jetty and are running out of the root
context in Jetty. I remember something about Lenya having the /lenya/
directory hard-coded someplace so that Jetty couldn't work in this
situation. As a matter of fact, I wrote about it in one of my
articles. Is this still the case?
Also, I'm a bit confused on the RewriteRule to redirect back to HTTP.
In the rule for port 443, I have:
<VirtualHost 999.999.999.999:443>
ServerName lenya.company.com
ServerAlias lenya
# SSL settings to go here
# ..
#
ProxyRequests Off
RewriteEngine On
RewriteRule ^/([^/\.]+)$ $1/ [R]
RewriteRule ^/([^/\.]+)/$
http://lenya.company.com/$1/authoring/index.html [R,L]
RewriteRule ^/(.*) http://%{SERVER_NAME}:8080/$1 [P,L]
ProxyPassReverse / http://lenya.company.com:8080/
</VirtualHost>
In the config for port 80, I check for a login usecase and forward to
SSL. My SSL config above seems to be saying that whatever URL I am
accessing, it should rewrite to HTTP anyway. So come to think of it,
I'm confused because if I rewrite all my links in port 443 to HTTP, how
is that my login stays in SSL? Perhaps I'm missing something
fundamental here. What would you use as a redirect to non-SSL and can
you explain a little bit why the above allows me to login in SSL when I
am rewriting my URLs to HTTP?
Jon
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Problem with authoring mod_proxy setup
Posted by Jann Forrer <ja...@id.unizh.ch>.
On Tue, 5 Jul 2005, Jonathan Linczak wrote:
> Hi all,
>
> I'm having a bit of a problem with a mod_proxy setup on my authoring
> environment (I know, I know, didn't I write an article about this
> stuff??) and I was hoping someone could check it out for me. I
> followed all the documentation and I can't seem to get it to work.
> Last time I mentioned this it was because of an inherent problem with
> hard-coding the lenya directory somewhere, but I'm curious to hear if
> this was fixed.
>
> Anyway, splitting up authoring environment on one server, live on
> another. Would like http://lenya.company.com/ on authoring server,
> http://www.company.com/ on live server. Here's my Apache setup for
> authoring (values changed to protect the innocent):
>
[ ... ]
>
> So, I go to lenya.company.com and loads up great. I try to login to a
> publication and it switches over to SSL. Sweet. It's the after-login
> part that has me stumped. It continues to stay in SSL, even though it
> should be reverting back to non-SSL. Anyone have any ideas as to why
> this is happening? Is that bug I mentioned rearing its ugly head?
> Thanks for any help you can pass along.
>
The response is a little bit late but i was in holiday for one week :-)
We did define our proxy settings in publication.xconf as e.g.
<proxy url="http://lenya.company.com/lenya/publicationName/authoring"
ssl="false" area="authoring"/>
In that case you will have http links in your authoring area and as soon
as you use such a link you will switch back to http. However, this will only
partially solve your problem because if you switch to the site or admin
area direct after login you will still use https.
A proper solution would be to define a RewriteRule in the apache
configuration (VirtualHost :443) which redirects you to http.
HTH
Jann
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Problem with authoring mod_proxy setup
Posted by so...@gmail.com.
On 7/12/05, Jonathan Linczak <li...@hiram.edu> wrote:
> On Jul 12, 2005, at 3:50 PM, <so...@gmail.com> wrote:
> > On 7/5/05, Jonathan Linczak <li...@hiram.edu> wrote:
> >> So, I go to lenya.company.com and loads up great. I try to login to a
> >> publication and it switches over to SSL. Sweet. It's the after-login
> >> part that has me stumped. It continues to stay in SSL, even though it
> >> should be reverting back to non-SSL. Anyone have any ideas as to why
> >> this is happening?
> > Please explain the purpose of changing back to non-SSL? Someone has
> > logged in. You protected their password during the login process.
> > Now they are reading confidential protected data, and you want it sent
> > without encryption? If the data is going to be sent cleartext, why
> > bother with any security or encryption?
> > You should only switch back to non-SSL when they log out. (Also when
> > the session times out, but that is more difficult to program. Some
> > programs never timeout SSL sessions.)
> Well, as far as I understand, the only point where actual sensitive
> data is being passed is when the user logs in. I use LDAP
> Authentication to achieve this, and so it makes sense to encrypt this.
> But, I think once the user logs in, the only thing that is kept in the
> session is the username, which decides what that user is capable of
> doing. I could be mistaken, but I don't think the password is stored
> in the session (a dev will have to verify this). So, in that case, why
> should I care of the authoring portion is SSL or non-SSL? It's not
> like they are editing data that shouldn't be seen - the site is live
> for everyone to see anyway. Of course, this philosophy changes if any
> sensitive data is stored in the session when the user is logged in.
The only thing sent by the client is the session id, not the username.
If designed correctly, the session id should only be valid for the
SSL session that created it. I doubt Lenya is aware at that level,
but all of it could be handled lower in the stack. Would you test it?
If you log in using SSL (https://), then change the protocol back to
http://, is your session still valid? Or do you need to log in again?
My site has a restricted section, so we have confidential
not-for-everybody information.
Your content admins could be adding information that has a
do-not-release-before date. What if they were writing a review from a
pre-release copy of Harry Potter?
The real threat is if someone can see the content being edited, then
they can probably hijack the session and create their own content.
That's called defacing a website, and get kudos on the
I-broke-a-website message boards for the socially inept.
> As a matter of fact, if I recall correctly, isn't the username and
> password appended onto a query string when logging in? I remember
> seeing a bug report on this. If so, then our worries about SSL and
> non-SSL don't really matter anyway... :)
I am not rereading the specs now, but as I remember it:
With SSL, the servers do their handshake, then all content is
encrypted. The IP packets know what address is their destination, but
the URL, including the querystring, is included in the content, which
cannot be read until it is decrypted by the server.
-- Back to the main question:
In your words:
"Why should I care of the authoring portion is SSL or non-SSL?"
Users create SSL sessions. Why break them? Is SSL really slowing
performance? Do people complain there's an 's' in the protocol? Why
is it important to turn SSL off?
solprovider
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Problem with authoring mod_proxy setup
Posted by Jonathan Linczak <li...@hiram.edu>.
On Jul 12, 2005, at 3:50 PM, <so...@gmail.com> wrote:
> On 7/5/05, Jonathan Linczak <li...@hiram.edu> wrote:
>> So, I go to lenya.company.com and loads up great. I try to login to a
>> publication and it switches over to SSL. Sweet. It's the after-login
>> part that has me stumped. It continues to stay in SSL, even though it
>> should be reverting back to non-SSL. Anyone have any ideas as to why
>> this is happening?
>
> Please explain the purpose of changing back to non-SSL? Someone has
> logged in. You protected their password during the login process.
> Now they are reading confidential protected data, and you want it sent
> without encryption? If the data is going to be sent cleartext, why
> bother with any security or encryption?
>
> You should only switch back to non-SSL when they log out. (Also when
> the session times out, but that is more difficult to program. Some
> programs never timeout SSL sessions.)
Well, as far as I understand, the only point where actual sensitive
data is being passed is when the user logs in. I use LDAP
Authentication to achieve this, and so it makes sense to encrypt this.
But, I think once the user logs in, the only thing that is kept in the
session is the username, which decides what that user is capable of
doing. I could be mistaken, but I don't think the password is stored
in the session (a dev will have to verify this). So, in that case, why
should I care of the authoring portion is SSL or non-SSL? It's not
like they are editing data that shouldn't be seen - the site is live
for everyone to see anyway. Of course, this philosophy changes if any
sensitive data is stored in the session when the user is logged in.
As a matter of fact, if I recall correctly, isn't the username and
password appended onto a query string when logging in? I remember
seeing a bug report on this. If so, then our worries about SSL and
non-SSL don't really matter anyway... :)
Jon
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org
Re: Problem with authoring mod_proxy setup
Posted by so...@gmail.com.
On 7/5/05, Jonathan Linczak <li...@hiram.edu> wrote:
> So, I go to lenya.company.com and loads up great. I try to login to a
> publication and it switches over to SSL. Sweet. It's the after-login
> part that has me stumped. It continues to stay in SSL, even though it
> should be reverting back to non-SSL. Anyone have any ideas as to why
> this is happening?
Please explain the purpose of changing back to non-SSL? Someone has
logged in. You protected their password during the login process.
Now they are reading confidential protected data, and you want it sent
without encryption? If the data is going to be sent cleartext, why
bother with any security or encryption?
You should only switch back to non-SSL when they log out. (Also when
the session times out, but that is more difficult to program. Some
programs never timeout SSL sessions.)
solprovider
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@lenya.apache.org
For additional commands, e-mail: user-help@lenya.apache.org