Best Way to do SSL?

Author Message

Willie Seabrook

Tuesday 20 January 2004 2:43:54 pm

Hi,

I need some parts of my site secured with SSL, and not others. The user login, and many parts of a user restricted area as sensitive information will be passed.

Would the best way to do this be to write apache rewrite rules to redirect the user based upon the url. For example, if I wanted to protect /content/view/full/5252 I would write a rule in apache:

RewriteRule ^/(content/view/full/5252/.*)$ https://www.mysite.com/$1 [R]

And do this for each page I need to protect? Is there an easier way to do it? And is this secure? The only information that would be sent over http in this setup would be the get request right? Then it would be transferred to https and the actual result of the get request (the sensitive data) would be sent over https.

Then for my embedded user login form (that sits on my homepage) I would change the post user from http://www.mysite.com/user/login to https://www.mysite.con/user/login and the post request would go over https?

Please forgive my ignorance here, I have never done a secure site before.

Björn Dieding@xrow.de

Thursday 22 January 2004 10:39:36 am

#################
# Lokaler SSL-Proxy, welcher https://domain zu http://domain umleitet
#################

RewriteLock /var/lock/rewrite.lock

<VirtualHost _default_:443>
DocumentRoot "/home/www"
ServerName ssl.xrow.net
ServerAlias www.xrow.net
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl.crt/ssl.xrow.net.server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/ssl.xrow.net.server.key
SSLCACertificateFile /etc/httpd/ssl.crt/ssl.xrow.net.ca.crt

# Rewrite-Engine einschalten fuer Umschreiben der URL
RewriteEngine on
# Logging ausschalten mit folgenden Zeilen:
#RewriteLog /dev/null
#RewriteLog 0
RewriteLog /var/log/httpd/sslproxy.log
RewriteLogLevel 1
RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P,L]

</VirtualHost>

cool.... I like it

Looking for a new job? http://www.xrow.com/xrow-GmbH/Jobs
Looking for hosting? http://hostingezpublish.com
-----------------------------------------------------------------------------
GMT +01:00 Hannover, Germany
Web: http://www.xrow.com/

Willie Seabrook

Friday 23 January 2004 7:35:35 pm

I don't quite get it sorry :-(

With that configuration it looks like any request to the host gets re-written back to the host again???

Could you please explain a little? I can set up a secure server - I know how to do that, its just getting it to work nicely and securely with ezpublish that I'm unsure about.

Regards,
Willie

Björn Dieding@xrow.de

Monday 26 January 2004 1:43:49 am

>With that configuration it looks like any request to the host gets re-written back to the host again???

True....

any request to port 443 gets internally rewritten to port 80

the flow will be like this

client request https://www.xrow.de/user/register -> ssl proxy will a call(no encrytion needed internally) -> http://www.xrow.de/user/register (your eZ vhost) -> then the proxy will return the result from http://www.xrow.de/user/register (encryted) to client

Looking for a new job? http://www.xrow.com/xrow-GmbH/Jobs
Looking for hosting? http://hostingezpublish.com
-----------------------------------------------------------------------------
GMT +01:00 Hannover, Germany
Web: http://www.xrow.com/

Lauren Matheson

Thursday 01 April 2004 11:01:02 am

Can you explain more? The client request comes on port 443, internally that is rewritten to the non-secure vhost through port 80, and the response comes out port 80? That sounds like it would drop the TCP connection.?

Bruce Morrison

Thursday 01 April 2004 3:17:17 pm

I think it's the 'P' flag on the end of the rewrite rule that does all the magic.

See
http://httpd.apache.org/docs/mod/mod_rewrite.html#RewriteRule

Cheers
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.