ssl optional on every login page

[emwede]

On my apache2 I'm running https and am bookmarking each and every loginpage e.g. serendipity_admin.php. As well as loginpages of plugins (creating new users etc.)

It would now be great to have the possibility to just set a option that makes links like the "login"-Link on the frontpage point to https://<blogdomain>/... by default. Its rather hard to edit the sourcecode for any of those links.

[garvinhicking]

Hi!

If you configure your serendipity for the "https://" URL, then all links wil use HTTPs.

There is no logic in s9y that can distinct between a "login" page and a "non-login" page. So either it's "all https" nor "no https". For any distinction you are required to make your own modifications, I'm sorry.

But we believe in that people who use https should use it for the full backend. You can enable the "HTTP Host" autodetection configuration option to allow to use both http:// and https://, so that your usual visitors do not need to use https...?

HTH
,Garvin

[emwede]

Hi Garv,

actually there ARE circumstances where I do not want a "normal user" to hack in his password on an http-channel but want to force hin to use an https-channel for that.

BUT what i was actually referring to is line 332/581 in the index.php

Code: Select all

if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')

and am asking if you could give people a switch to set $_SERVER to HTTPS by default for sites where there users hack a password in.

Actually in my case I'm using two document Root Dirs for s9y nowadays one which is the https-site has a serendipity_admin.php and links the rest of the document-root of the http-site (which of course has no serendipity_admin.php anymore).

But the latter forces me to make a lot of code-changes especially to the iindex.php, each and everytime I download a nightly build... (eg. SHOWing an entry - ANZEIGEN- I have edited using the https site from the link given there, should pont to the http-site. Another one is that manipulating and saving the Configuration-Settings should NOT autmoaticaly change s9y-path from http://modlog.de to https:/modlog.de:443 - as it does in the standard code you deliver)

Hope I made myself more clear this time and did not provoke such missunderstandings again.

regards
Michael

[garvinhicking]

Hi!

and am asking if you could give people a switch to set $_SERVER to HTTPS by default for sites where there users hack a password in.

That variable is intended to be read-only. it is set by your apache server if a VHost with https is used.

What is the reason for you not wanting to use https everywhere, if you intend to provide https facilities?

If you can compile a full list of where https should be used, I can try to think about creating a new config variable to force https?

HTH,
Garvin

[emwede]

Hi!

That variable is intended to be read-only. it is set by your apache server if a VHost with https is used.

Yeah, I know. What I was intedning to say is that you could easily differ between https asked for by the client and nttps not asked for by the client but to be forced by the will of the sites admin. Sorry for confusing things again.

What is the reason for you not wanting to use https everywhere, if you intend to provide https facilities?

Well, there could be a lot of reasons not to use https everywhere. One is that many people live behind a (e.g. corporate firewall) where there admins do not allow them to use https-outside-connections at all. Another one is, that search engines do not really appreciate https. A third one could be, that if you force https for reading purposes of your site only paranoid people easily feel spyed at or so...

If you can compile a full list of where https should be used, I can try to think about creating a new config variable to force https?

The most obvious page to me is anything around the serendipity_admin.php. Additionaly if you think about the "Autoren-login"- plugin and the "Registrierung neuer User"-plugin I for my purposes would be very pleased with just a config variable.

Thank you and best regards
Michael

[garvinhicking]

Hi!

Okay, those places in admin and user-self registration plugin seem apparent. I will implement a config option for this. It will take me some time until I get down to it, hopefully somewhen next week!

Best regards,
Garvin

[emwede]

Hi!

Okay, those places in admin and user-self registration plugin seem apparent. I will implement a config option for this. It will take me some time until I get down to it, hopefully somewhen next week!

Best regards,
Garvin

Thx Garvin, take your time. Just tell me, when you've got a nightly for that (I hate using svn) and I will go testing it.

[emwede]

As I meanwhile worked out a workaround for me to constantly use (and force the use of) https (SSL) for admin purposes of serendipity (s9y=serendipity_admin_php) WITHOUT changing php-code (!) I would like to document this here but before Documentation point to one caveat left:

If you use the below mentioned workaround you have to be aware that everytime you use the configuration link in your admin interface, s9y AUTOMATICALLY sets the url of your blog to

Code: Select all

https://<yourSECURE_HTTPSurl>:443/

.

This happens automatically as soon as you acess the configuration "page" even if you do not show the path section of the "page" and you have to change it back MANUALLY to

Code: Select all

http://<yourHTTPurl> 

BEFORE saving settings. As if you do not change it back your users are always served css, plugins etc from the https site instead of the http site.

Actually in my case HTTPurl and HTTPSurl are the same so the only anoying thing is the HTTPS and the 443 automaticaly placed by s9y.

--------

So heres the workaround.(assuming you have mod_rewrite in place and s9y installed to use mod_rewrite !!!)

1st you have to setup a https-site (if e.g. using debian, you may want to use howtos like this one: http://www.debianhowto.de/doku.php/de:h ... lamp_suphp) and make it point to another directory of your server than the one that serves your http site. Following this line I will refer to the https-sites directory as "securedir" and to the http-sites directory as "httpdir" respectively "yourSECURE_HTTPSurl" or "yourHTTPurl" (as far as urls are mentioned).

So e.g. to make the Dir of the above mentioned howto to point to securedir you will edit

Code: Select all

/etc/apache2/sites-available/default-ssl

and make it look like this

Code: Select all

        DocumentRoot /var/www/securedir
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/securedir>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                # RedirectMatch ^/$ /apache2-default/
        </Directory>

After this you have to restart apache e.g. on debian

Code: Select all

apache2ctl restart

to make the changes work.

now as your securedir is still empty, we're going to fill it now with a script like this - assuming securedir and httpdir are on the same hirarchy level of your filesystem (in this case under /var/www)

Code: Select all

#! /bin/bash
cd /var/www/securedir

ln -s ../httpdir/bundled-libs/ bundled-libs
ln -s ../httpdir/deployment/ deployment
ln -s ../httpdir/docs/ docs
ln -s ../httpdir/htmlarea/ htmlarea
ln -s ../httpdir/include/ include
ln -s ../httpdir/lang/ lang
ln -s ../httpdir/plugins plugins
ln -s ../httpdir/sql/ sql
ln -s ../httpdir/templates/ templates
ln -s ../httpdir/templates_c/ templates_c
ln -s ../httpdir/tests/ tests
ln -s ../httpdir/uploads/ uploads
ln -s ../httpdir/animated_favicon1.gif
ln -s ../httpdir/animated_favicon1.gif animated_favicon1.gif
ln -s ../httpdir/blog.php blog.php
ln -s ../httpdir/comment.php comment.php
ln -s ../httpdir/exit.php exit.php
ln -s ../httpdir/favicon.ico favicon.ico
ln -s ../httpdir/foaf.rdf foaf.rdf
ln -s ../httpdir/index.php index.php
ln -s ../httpdir/rss.php rss.php
ln -s ../httpdir/serendipity.css.php serendipity.css.php
ln -s ../httpdir/serendipity_config.inc.php serendipity_config.inc.php
ln -s ../httpdir/serendipity_config_local.inc.php serendipity_config_local.inc.php
ln -s ../httpdir/serendipity_define.js.php serendipity_define.js.php
ln -s ../httpdir/serendipity_editor.js serendipity_editor.js
ln -s ../httpdir/serendipity_xmlrpc.php serendipity_xmlrpc.php
ln -s ../httpdir/wfwcomment.php wfwcomment.php
mv ../httpdir/serendipity_admin.php ./
mv ../httpdir/serendipity_admin_image_selector.php ./
cp ../httpdir/robots.txt ./
cp ../httpdir/.htaccess ./

Be careful after this step you will not longer be able to access the admin site of s9y by going to

Code: Select all

http://yourHTTPurl/serendipity_admin.php

but by going to

Code: Select all

https://yourSECURE_HTTPSurl/serendipity_admin.php

[/b]

----

So we will now force s9y - NO we'l actually force apache to do this for us automaticaly

For this we edit the htaccess file in the httpdir and add a line as follows after the rewriteblock s9y placed in there automatically:

Code: Select all

Redirect permanent /serendipity_admin.php https://yourSECURE_HTTPSurl/serendipity_admin.php

----

You will now find that s9y Administration Sites already work realy well with https. But there are still some caveats that we want to fix (were we can't fix the one mentioned at the beginning of this article without changing php-code which we do not want to do in this workaround).

To fix those latter mentioned caveats we are changing dir to our securedir.

an editing the .htacess file, the above listed script copied there. After editing the rewrite rules look like this in my securedirs .htacess file:

Code: Select all

RewriteEngine On
RewriteBase / 

RewriteRule ^((archives/([0-9]+)-[0-9a-z\.\_!;,\+\-\%]+\.html)/?) http://yourHTTPurl/blog.php?/$1 [NC,L,QSA]
RewriteRule ^(authors/([0-9]+)-[0-9a-z\.\_!;,\+\-\%]+) http://yourHTTPurl/blog.php?/$1 [NC,L,QSA]
RewriteRule ^(feeds/categories/([0-9;]+)-[0-9a-z\.\_!;,\+\-\%]+\.rss) http://yourHTTPurl/blog.php?/$1 [NC,L,QSA]
RewriteRule ^(feeds/authors/([0-9]+)-[0-9a-z\.\_!;,\+\-\%]+\.rss) http://yourHTTPurl/blog.php?/$1 [NC,L,QSA]
RewriteRule ^(categories/([0-9;]+)-[0-9a-z\.\_!;,\+\-\%]+) http://yourHTTPurl/blog.php?/$1 [NC,L,QSA]
RewriteRule ^archives([/A-Za-z0-9]+)\.html http://yourHTTPurl/blog.php?url=/archives/$1.html [NC,L,QSA]
RewriteRule ^([0-9]+)[_\-][0-9a-z_\-]*\.html http://yourHTTPurl/blog.php?url=$1-article.html [L,NC,QSA]
RewriteRule ^feeds/(.*) http://yourHTTPurl/blog.php?url=/feeds/$1 [L,QSA]
RewriteRule ^unsubscribe/(.*)/([0-9]+) http://yourHTTPurl/blog.php?url=/unsubscribe/$1/$2 [L,QSA]
RewriteRule ^approve/(.*)/(.*)/([0-9]+) http://yourHTTPurl/blog.php?url=approve/$1/$2/$3 [L,QSA]
#RewriteRule ^delete/(.*)/(.*)/([0-9]+) blog.php?url=delete/$1/$2/$3 [L,QSA]
#RewriteRule ^(admin|entries)(/.+)? blog.php?url=admin/ [L,QSA]
#RewriteRule ^archive/? http://yourHTTPurl/blog.php?url=/archive [L,QSA]
RewriteRule ^(index|atom[0-9]*|rss|b2rss|b2rdf).(rss|rdf|rss2|xml) http://yourHTTPurl/rss.php?file=$1&ext=$2
RewriteRule ^(plugin|plugin)/(.*) http://yourHTTPurl/blog.php?url=$1/$2 [L,QSA]
RewriteRule ^search/(.*) http://yourHTTPurl/blog.php?url=/search/$1 [L,QSA]
RewriteRule ^comments/(.*) http://yourHTTPurl/blog.php?url=/comments/$1 [L,QSA]
RewriteRule ^(serendipity\.css|serendipity_admin\.css)$ http://yourHTTPurl/blog.php?url=/$1 [L,QSA]
RewriteRule ^index\.(html?|php.+) http://yourHTTPurl/blog.php?url=index.html [L,QSA]
#RewriteRule ^htmlarea/(.*) htmlarea/$1 [L,QSA]
RewriteRule (.*\.html?) http://yourHTTPurl/$1 [L,QSA] 

You may find that there' some of the Rewriterules changed and some others just comented out where I found out about the latter by just try and error (so if someone finds some better rewrite rules for this workaround, just tel me, I'm eager to know .

So thats it. In my workaround I'm now forced to the https://yourSECURE_HTTPSurl/serendipity_admin.php everytime I click on Login in my s9y or type http://yourHTTPurl/admin AND the rewrite rules redirect me to my yourHTTPurl as soon as I use the "back to blog" or "show (edited) page" links in my admin interface.

What is not yet tested: I've not yet tested to

- approve trackbacks/comments on the securesite
- delete articles or comments on the securesite
- install/update/remove plugins using the securesite

probably I'll find time to setup a VMWare using the above mentioned configuration as test-system those days, Then I will let you know.