This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: modperl@apache.org From: Joshua Gerth <jgerth@ptdcs2.ra.intel.com> Subject: http -> https for authentication Date: Wed, 27 Dec 2000 11:06:43 -0800 (PST) Howdy, So, I am running a mod_perl/mod_ssl enabled Apache web server. The home page (and several other unprotected pages) need to listen on both the encrypted port 443 and non-encrypted port 80. However, I would like to force all authentication requests to go through the encrypted side so the passwords is never passed in plain text. In the past I have done this by adding a mod_rewrite for each area which I knew was protected. Is there any way I can do this in a more dynamic fashion? === To: Joshua Gerth <jgerth@ptdcs2.ra.intel.com> From: Stas Bekman <stas@stason.org> Subject: Re: http -> https for authentication Date: Wed, 27 Dec 2000 20:17:40 +0100 (CET) On Wed, 27 Dec 2000, Joshua Gerth wrote: > > Howdy, > > So, I am running a mod_perl/mod_ssl enabled Apache web server. > The home page (and several other unprotected pages) need to listen on both > the encrypted port 443 and non-encrypted port 80. However, I would like > to force all authentication requests to go through the encrypted side so > the passwords is never passed in plain text. > > In the past I have done this by adding a mod_rewrite for each area > which I knew was protected. Is there any way I can do this in a more > dynamic fashion? You are having front/end-back setup, right? If so: http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html === To: Stas Bekman <stas@stason.org> From: Joshua Gerth <jgerth@ptdcs2.ra.intel.com> Subject: Re: http -> https for authentication Date: Wed, 27 Dec 2000 11:31:32 -0800 (PST) Hey Stas, > > So, I am running a mod_perl/mod_ssl enabled Apache web server. > > The home page (and several other unprotected pages) need to listen on both > > the encrypted port 443 and non-encrypted port 80. However, I would like > > to force all authentication requests to go through the encrypted side so > > the passwords is never passed in plain text. > > > > In the past I have done this by adding a mod_rewrite for each area > > which I knew was protected. Is there any way I can do this in a more > > dynamic fashion? > > You are having front/end-back setup, right? If so: > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html Actually no, we had not yet setup the frontend/backend thing yet. I was more hoping we could do this with either a PerlTransHandler or by adding logic to my Apache::Authen handler. Any hope, or do we need to go to the frontend/backend setup to do this? === To: modperl@apache.org From: "Michael" <michael@bizsystems.com> Subject: Re: http -> https for authentication Date: Wed, 27 Dec 2000 11:32:40 -0800 > > Howdy, > > So, I am running a mod_perl/mod_ssl enabled Apache web server. The > home page (and several other unprotected pages) need to listen on > both the encrypted port 443 and non-encrypted port 80. However, I > would like to force all authentication requests to go through the > encrypted side so the passwords is never passed in plain text. > > In the past I have done this by adding a mod_rewrite for each area > which I knew was protected. Is there any way I can do this in a > more dynamic fashion? > Well,,..... this may not be elegant, but I use a straight forward approach of using an include config file for the use that is identical for both port 80 and 443. The login.pl file on the port 80 side simply redirects to https:URL passing a variable that indicates the original target to the real login script. After the login the script returns to the target as it would normally. This is pretty simple at least for me as nothing differs except the two login.pl scripts. Michael@Insulin-Pumpers.org === To: Stas Bekman <stas@stason.org> From: Ask Bjoern Hansen <ask@valueclick.com> Subject: Re: http -> https for authentication Date: Wed, 27 Dec 2000 11:58:18 -0800 (PST) On Wed, 27 Dec 2000, Stas Bekman wrote: > You are having front/end-back setup, right? If so: > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html I use something like RewriteCond %\{SERVER_PORT\} ^443$ RewriteRule ^/appname(.*) http://localhost:1234/appname?secure=1 [P,QSA,L] and then the app can just look at the "secure" parameter. === To: Joshua Gerth <jgerth@ptdcs2.ra.intel.com> From: Dan Riley <dsr@mail.lns.cornell.edu> Subject: Re: http -> https for authentication Date: 27 Dec 2000 23:26:04 -0500 Joshua Gerth <jgerth@ptdcs2.ra.intel.com> writes: > So, I am running a mod_perl/mod_ssl enabled Apache web server. > The home page (and several other unprotected pages) need to listen on both > the encrypted port 443 and non-encrypted port 80. However, I would like > to force all authentication requests to go through the encrypted side so > the passwords is never passed in plain text. We do this via an old-fashioned 403 handler on the unencrypted side that returns a 302 redirect to an https URL. The vhost for the encrypted side overrides the 403 handler with our standard handler. ===