Best Way to do SSL?

Next topic

Author	Message
Willie Seabrook	Tuesday 20 January 2004 2:43:54 pm Hi, I need some parts of my site secured with SSL, and not others. The user login, and many parts of a user restricted area as sensitive information will be passed. Would the best way to do this be to write apache rewrite rules to redirect the user based upon the url. For example, if I wanted to protect /content/view/full/5252 I would write a rule in apache: RewriteRule ^/(content/view/full/5252/.*)$ https://www.mysite.com/$1 [R] And do this for each page I need to protect? Is there an easier way to do it? And is this secure? The only information that would be sent over http in this setup would be the get request right? Then it would be transferred to https and the actual result of the get request (the sensitive data) would be sent over https. Then for my embedded user login form (that sits on my homepage) I would change the post user from http://www.mysite.com/user/login to https://www.mysite.con/user/login and the post request would go over https? Please forgive my ignorance here, I have never done a secure site before.
Björn [email protected]	Thursday 22 January 2004 10:39:36 am ################# # Lokaler SSL-Proxy, welcher https://domain zu http://domain umleitet ################# RewriteLock /var/lock/rewrite.lock <VirtualHost _default_:443> DocumentRoot "/home/www" ServerName ssl.xrow.net ServerAlias www.xrow.net SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/ssl.xrow.net.server.crt SSLCertificateKeyFile /etc/httpd/ssl.key/ssl.xrow.net.server.key SSLCACertificateFile /etc/httpd/ssl.crt/ssl.xrow.net.ca.crt # Rewrite-Engine einschalten fuer Umschreiben der URL RewriteEngine on # Logging ausschalten mit folgenden Zeilen: #RewriteLog /dev/null #RewriteLog 0 RewriteLog /var/log/httpd/sslproxy.log RewriteLogLevel 1 RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P,L] </VirtualHost> cool.... I like it Looking for a new job? http://www.xrow.com/xrow-GmbH/Jobs Looking for hosting? http://hostingezpublish.com ----------------------------------------------------------------------------- GMT +01:00 Hannover, Germany Web: http://www.xrow.com/
Willie Seabrook	Friday 23 January 2004 7:35:35 pm I don't quite get it sorry :-( With that configuration it looks like any request to the host gets re-written back to the host again??? Could you please explain a little? I can set up a secure server - I know how to do that, its just getting it to work nicely and securely with ezpublish that I'm unsure about. Regards, Willie
Björn [email protected]	Monday 26 January 2004 1:43:49 am >With that configuration it looks like any request to the host gets re-written back to the host again??? True.... any request to port 443 gets internally rewritten to port 80 the flow will be like this client request https://www.xrow.de/user/register -> ssl proxy will a call(no encrytion needed internally) -> http://www.xrow.de/user/register (your eZ vhost) -> then the proxy will return the result from http://www.xrow.de/user/register (encryted) to client Looking for a new job? http://www.xrow.com/xrow-GmbH/Jobs Looking for hosting? http://hostingezpublish.com ----------------------------------------------------------------------------- GMT +01:00 Hannover, Germany Web: http://www.xrow.com/
Lauren Matheson	Thursday 01 April 2004 11:01:02 am Can you explain more? The client request comes on port 443, internally that is rewritten to the non-secure vhost through port 80, and the response comes out port 80? That sounds like it would drop the TCP connection.?
Bruce Morrison	Thursday 01 April 2004 3:17:17 pm I think it's the 'P' flag on the end of the rewrite rule that does all the magic. See http://httpd.apache.org/docs/mod/mod_rewrite.html#RewriteRule Cheers Bruce My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish