This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: modperl@apache.org
From: Joshua Gerth <jgerth@ptdcs2.ra.intel.com>
Subject: http -> https for authentication
Date: Wed, 27 Dec 2000 11:06:43 -0800 (PST)
Howdy,
So, I am running a mod_perl/mod_ssl enabled Apache web server.
The home page (and several other unprotected pages) need to listen on both
the encrypted port 443 and non-encrypted port 80. However, I would like
to force all authentication requests to go through the encrypted side so
the passwords is never passed in plain text.
In the past I have done this by adding a mod_rewrite for each area
which I knew was protected. Is there any way I can do this in a more
dynamic fashion?
===
To: Joshua Gerth <jgerth@ptdcs2.ra.intel.com>
From: Stas Bekman <stas@stason.org>
Subject: Re: http -> https for authentication
Date: Wed, 27 Dec 2000 20:17:40 +0100 (CET)
On Wed, 27 Dec 2000, Joshua Gerth wrote:
>
> Howdy,
>
> So, I am running a mod_perl/mod_ssl enabled Apache web server.
> The home page (and several other unprotected pages) need to listen on both
> the encrypted port 443 and non-encrypted port 80. However, I would like
> to force all authentication requests to go through the encrypted side so
> the passwords is never passed in plain text.
>
> In the past I have done this by adding a mod_rewrite for each area
> which I knew was protected. Is there any way I can do this in a more
> dynamic fashion?
You are having front/end-back setup, right? If so:
http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
===
To: Stas Bekman <stas@stason.org>
From: Joshua Gerth <jgerth@ptdcs2.ra.intel.com>
Subject: Re: http -> https for authentication
Date: Wed, 27 Dec 2000 11:31:32 -0800 (PST)
Hey Stas,
> > So, I am running a mod_perl/mod_ssl enabled Apache web server.
> > The home page (and several other unprotected pages) need to listen on both
> > the encrypted port 443 and non-encrypted port 80. However, I would like
> > to force all authentication requests to go through the encrypted side so
> > the passwords is never passed in plain text.
> >
> > In the past I have done this by adding a mod_rewrite for each area
> > which I knew was protected. Is there any way I can do this in a more
> > dynamic fashion?
>
> You are having front/end-back setup, right? If so:
> http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
Actually no, we had not yet setup the frontend/backend thing yet. I was
more hoping we could do this with either a
PerlTransHandler
or by adding logic to my Apache::Authen handler. Any hope, or do we need
to go to the frontend/backend setup to do this?
===
To: modperl@apache.org
From: "Michael" <michael@bizsystems.com>
Subject: Re: http -> https for authentication
Date: Wed, 27 Dec 2000 11:32:40 -0800
>
> Howdy,
>
> So, I am running a mod_perl/mod_ssl enabled Apache web server. The
> home page (and several other unprotected pages) need to listen on
> both the encrypted port 443 and non-encrypted port 80. However, I
> would like to force all authentication requests to go through the
> encrypted side so the passwords is never passed in plain text.
>
> In the past I have done this by adding a mod_rewrite for each area
> which I knew was protected. Is there any way I can do this in a
> more dynamic fashion?
>
Well,,..... this may not be elegant, but I use a straight forward
approach of using an include config file for the use that is
identical for both port 80 and 443. The login.pl file on the port 80
side simply redirects to https:URL passing a variable that indicates
the original target to the real login script. After the login the
script returns to the target as it would normally. This is pretty
simple at least for me as nothing differs except the two login.pl
scripts.
Michael@Insulin-Pumpers.org
===
To: Stas Bekman <stas@stason.org>
From: Ask Bjoern Hansen <ask@valueclick.com>
Subject: Re: http -> https for authentication
Date: Wed, 27 Dec 2000 11:58:18 -0800 (PST)
On Wed, 27 Dec 2000, Stas Bekman wrote:
> You are having front/end-back setup, right? If so:
> http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
I use something like
RewriteCond %\{SERVER_PORT\} ^443$
RewriteRule ^/appname(.*) http://localhost:1234/appname?secure=1 [P,QSA,L]
and then the app can just look at the "secure" parameter.
===
To: Joshua Gerth <jgerth@ptdcs2.ra.intel.com>
From: Dan Riley <dsr@mail.lns.cornell.edu>
Subject: Re: http -> https for authentication
Date: 27 Dec 2000 23:26:04 -0500
Joshua Gerth <jgerth@ptdcs2.ra.intel.com> writes:
> So, I am running a mod_perl/mod_ssl enabled Apache web server.
> The home page (and several other unprotected pages) need to listen on both
> the encrypted port 443 and non-encrypted port 80. However, I would like
> to force all authentication requests to go through the encrypted side so
> the passwords is never passed in plain text.
We do this via an old-fashioned 403 handler on the unencrypted side
that returns a 302 redirect to an https URL. The vhost for the
encrypted side overrides the 403 handler with our standard handler.
===