Re: how to check for ssl.
$r-server-port() returns 0 $r-parsed_uri-port() and $r-parsed_uri-fragment() return nothing !!! ___cliff rayman___ a écrit : try these and see what they return: $r-server-port(); $r-parsed_uri-port(); -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/ Jean-Denis Girard wrote: For some reason (probably my error), $r-get_server_port() always returns 80 although my mod_perl backend only listen to 8080 and 8443 (I use Listen directives). I'm using (sockaddr_in($r-connection-local_addr))[0] to get the port instead. Though it works, I must load one more module (Socket), which I would like to avoid if possible... Any idea about my mistake ? My conf: apache-1.3.12 + mod_ssl-2.3.4 = apache-1.3.12 + mod_perl-1.24 on linux-2.2.14 Jean-Denis Girard http://www.esoft.pf ___cliff rayman___ a écrit : $port=$r-get_server_port(); [EMAIL PROTECTED] wrote: Ok, so what is the PORT variable and how do i access it? Scott On 3 Aug 2000, at 22:08, Stas Bekman wrote: Not really, you can spoof both: http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e d_Connec.html -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
Re: how to check for ssl.
I've got a section of our site where I want to force the user to connect via ssl. Inside of mod_perl, is there a parameter I can grab to see whether the connection is ssl or not? Or a way to get the port number? If there isnt a special reason otherwise, why not just put a redirect in http.conf, eg VirtualHost _default_:80 . Redirect /secure https://www.mysite.com/secure /VirtualHost Then any attempts to access something under http://www.mysite.com/secure will get a redirect to same page but using https.
Re: how to check for ssl.
There is more then one section that needs to be secure and its not quite as blank and white as folder /secure needs to be secure. for example. folder /ecom/checkout needs to be secure. folder /ecom/showcart doesn't Scott On 4 Aug 2000, at 10:16, David Mitchell wrote: VirtualHost _default_:80 . Redirect /secure https://www.mysite.com/secure /VirtualHost
[ot] Re: how to check for ssl.
On Fri, 4 Aug 2000 [EMAIL PROTECTED] wrote: There is more then one section that needs to be secure and its not quite as blank and white as folder /secure needs to be secure. for example. folder /ecom/checkout needs to be secure. folder /ecom/showcart doesn't it is really starting to sound like the site design itself could use a revamp. i believe the hopping back and forth between http/https is going to generate a lot of silly warning on the user's browser, as well. why not just set the up for https as soon as they need it and then leave them there? Scott On 4 Aug 2000, at 10:16, David Mitchell wrote: VirtualHost _default_:80 . Redirect /secure https://www.mysite.com/secure /VirtualHost -- Blue Lang Unix Systems Admin QSP, Inc., 3200 Atlantic Ave, Ste 100, Raleigh, NC, 27604 Home: 919 835 1540 Work: 919 875 6994 Fax: 919 872 4015
Re: how to check for ssl.
For some reason (probably my error), $r-get_server_port() always returns 80 although my mod_perl backend only listen to 8080 and 8443 (I use Listen directives). I'm using (sockaddr_in($r-connection-local_addr))[0] to get the port instead. Though it works, I must load one more module (Socket), which I would like to avoid if possible... Any idea about my mistake ? My conf: apache-1.3.12 + mod_ssl-2.3.4 = apache-1.3.12 + mod_perl-1.24 on linux-2.2.14 Jean-Denis Girard http://www.esoft.pf ___cliff rayman___ a écrit : $port=$r-get_server_port(); [EMAIL PROTECTED] wrote: Ok, so what is the PORT variable and how do i access it? Scott On 3 Aug 2000, at 22:08, Stas Bekman wrote: Not really, you can spoof both: http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e d_Connec.html -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
Re: how to check for ssl.
try these and see what they return: $r-server-port(); $r-parsed_uri-port(); -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/ Jean-Denis Girard wrote: For some reason (probably my error), $r-get_server_port() always returns 80 although my mod_perl backend only listen to 8080 and 8443 (I use Listen directives). I'm using (sockaddr_in($r-connection-local_addr))[0] to get the port instead. Though it works, I must load one more module (Socket), which I would like to avoid if possible... Any idea about my mistake ? My conf: apache-1.3.12 + mod_ssl-2.3.4 = apache-1.3.12 + mod_perl-1.24 on linux-2.2.14 Jean-Denis Girard http://www.esoft.pf ___cliff rayman___ a écrit : $port=$r-get_server_port(); [EMAIL PROTECTED] wrote: Ok, so what is the PORT variable and how do i access it? Scott On 3 Aug 2000, at 22:08, Stas Bekman wrote: Not really, you can spoof both: http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e d_Connec.html -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
how to check for ssl.
I've got a section of our site where I want to force the user to connect via ssl. Inside of mod_perl, is there a parameter I can grab to see whether the connection is ssl or not? Or a way to get the port number? I went through the archives last night and couldn't find anything near this. Am I missing something way to obvious here? I checked the headers_in and nothing there would even hint that its ssl. Scott
Re: how to check for ssl.
"s" == scotta [EMAIL PROTECTED] writes: s I've got a section of our site where I want to force the user to s connect via ssl. s Inside of mod_perl, is there a parameter I can grab to see whether s the connection is ssl or not? Or a way to get the port number? perldoc Apache then scan for the word "port". First line containing it is your answer. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-301-545-6996 GPG MIME spoken herehttp://www.khera.org/~vivek/
Re: how to check for ssl.
use Apache::URI (); $r-parsed_uri-scheme; returns http or https [EMAIL PROTECTED] wrote: I've got a section of our site where I want to force the user to connect via ssl. Inside of mod_perl, is there a parameter I can grab to see whether the connection is ssl or not? Or a way to get the port number? I went through the archives last night and couldn't find anything near this. Am I missing something way to obvious here? I checked the headers_in and nothing there would even hint that its ssl. Scott -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
Re: how to check for ssl.
On Thu, 3 Aug 2000, ___cliff rayman___ wrote: use Apache::URI (); $r-parsed_uri-scheme; returns http or https Not really, you can spoof both: http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html [EMAIL PROTECTED] wrote: I've got a section of our site where I want to force the user to connect via ssl. Inside of mod_perl, is there a parameter I can grab to see whether the connection is ssl or not? Or a way to get the port number? I went through the archives last night and couldn't find anything near this. Am I missing something way to obvious here? I checked the headers_in and nothing there would even hint that its ssl. Scott -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/ _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://perl.org http://stason.org/TULARC http://singlesheaven.com http://perlmonth.com http://sourcegarden.org
Re: how to check for ssl.
On Thu, 3 Aug 2000, Stas Bekman wrote: use Apache::URI (); $r-parsed_uri-scheme; returns http or https Not really, you can spoof both: Does the user have to spoof it deliberately in order for the wrong one to be detected? If spoofing requires the user to do it on purpose, then in this case the $r-parsed_uri-scheme should be sufficient. The other method (putting HTTPS on a different port and using mod_rewrite to make it transparent) is better of course, but in case you can't do it for some reason, I think this will work too. They don't gain anything by spoofing http/https deliberately; it just makes their connection not secure. -Philip Mak ([EMAIL PROTECTED])
[Mason]Re: how to check for ssl.
On Thu, 3 Aug 2000, Stas Bekman wrote:
On Thu, 3 Aug 2000, ___cliff rayman___ wrote:
use Apache::URI ();
$r-parsed_uri-scheme;
returns http or https
Not really, you can spoof both:
http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
[EMAIL PROTECTED] wrote:
I've got a section of our site where I want to force the user to
connect via ssl.
Inside of mod_perl, is there a parameter I can grab to see whether
the connection is ssl or not? Or a way to get the port number?
Scott
I had the same problem recently, where the mod_perl backend server did not
know what was happening on the front end with respect to SSL. I solved it
in a way that is flexible, but perhaps overkill:
I patched mod_headers.c on the frontend server to allow one to attach
extra headers to requests when they are proxied to the backend. This
allows you to stuff info in headers about SSL, or the remote-ip, etc.
You can specify headers to set with the same substitution syntax as
RewriteRule
(The patch is attached)
example:
On the front-end server:
( cd apache_1.3.12 ; patch -p1 ProxyHeaderRewrite.p2.patch ;make install)
in httpd.conf;
# tell upstream server the ip of the request, and pass along the Host
ProxyHeaderRewrite append X-Forwarded-For "%{REMOTE_ADDR}"
ProxyHeaderRewrite append X-Frontend-Host "%{HTTP_HOST}"
# tell upstream server info on SSL status
VirtualHost _default_:443
SSLOptions StdEnvVars
ProxyHeaderRewrite append X-SSL-Cipher "%{ENV:SSL_PROTOCOL} ${ENV:SSL_CIPHER}"
/VirtualHost
# tell upstream server the virtual host used
ProxyHeaderRewrite append X-Frontend-Host "%{HTTP:Host}"
Now, for a typical SSL request that is proxied to the back end (as
plaintext), these headers are added:
X-Forwarded-For: 1.2.3.4
X-Frontend-Host: my.frontend.site.com
X-SSL-Cipher: SSLv3 IDEA
On the backend server, parse the headers with some little perl handler in
startup.pl, and stuff the info where most other modules expect it (in $r,
or in environment vars):
sub My::ProxyHeaderParse ($) {
my $r = shift;
# we'll only look at the X-Forwarded-For header if the requests
# comes from our local network
return OK unless ($r-connection-remote_ip =~ /^192\.168/ );
if (my ($ip) = $r-header_in('X-Forwarded-For') =~ /([^,\s]+)$/) {
$r-connection-remote_ip($ip);
}
# mv X-Frontend-Host: into Host: header
my $host_header = $r-header_in('X-Frontend-Host');
if ( defined($host_header) ) {
$r-header_in('Host', $host_header)
}
# set up ssl env vars, if present in a X-SSL-Cipher header
my $ssl_header = $r-header_in('X-SSL-Cipher');
if ( defined($ssl_header) ) {
($ENV{SSL_PROTOCOL}, $ENV{SSL_CIPHER}) = split(/ /,$ssl_header);
$ENV{HTTPS} = 'ON'; # CGI.pm:protocol() require 'ON' (not 1 !)
}
return OK;
}
# called in httpd.conf
# PerlPostReadRequestHandler My::ProxyHeaderParse
--- apache_1.3.12.dist/src/modules/standard/mod_headers.c Wed Oct 27 02:26:53
1999
+++ apache_1.3.12/src/modules/standard/mod_headers.cThu Jul 13 16:53:11 2000
@@ -99,9 +99,52 @@
* To remove a header:
* Header unset Author
*
+ *
+ * Non-standard Additions:
+ *
+ *Most code is from mod_rewrite, by
+ * Ralf S. Engelschall
+ * [EMAIL PROTECTED]
+ *Assembled by Tim Bishop [EMAIL PROTECTED]
+ *
+ *
+ * HeaderRewrite (set headers to client using RewriteCond syntax)
+ *
+ * Syntax: HeaderRewrite action header rewriteValue
+ *
+ * This works the same as the header directive, except that full
+ * mod_rewrite RewriteCond interpolation is performed on the rewriteValue
+ * string. See http://www.apache.org/docs/mod/mod_rewrite.html#RewriteCond
+ * (Of course, back-references (%N, $N) have no meaning)
+ *
+ *
+ * ProxyHeaderRewrite (set headers sent to upstream servers (if proxying))
+ *
+ * Syntax: ProxyHeaderRewrite action header rewriteValue
+ *
+ * ProxyHeaderRewrite allows you to rewrite headers sent to upstream
+ * servers when your server is functioning as a proxy server.
+ * This is useful when you want to send additional header information
+ * to upstream servers.
+ *
+ * Bugs: Cannot rewrite the Host header with ProxyHeaderRewrite
+ *
+ * Examples:
+ *
+ *# tell upstream server the ip of the request
+ *ProxyHeaderRewrite append X-Forwarded-For "%{REMOTE_ADDR}"
+ *# tell upstream server info on SSL status
+ *VirtualHost _default_:443
+ *SSLOptions StdEnvVars
+ *ProxyHeaderRewrite append X-SSL-Cipher "%{ENV:SSL_PROTOCOL}
+%{ENV:SSL_CIPHER}"
+ */VirtualHost
+ *# tell upstream server the virtual host used
+ *ProxyHeaderRewrite append X-Frontend-Host "%{HTTP:Host}"
+ *
*/
#include "httpd.h"
+#include "http_log.h"
#include "http_config.h"
typedef enum {
@@ -111,12
Re: how to check for ssl.
Ok, so what is the PORT variable and how do i access it? Scott On 3 Aug 2000, at 22:08, Stas Bekman wrote: Not really, you can spoof both: http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e d_Connec.html
Re: how to check for ssl.
$port=$r-get_server_port(); [EMAIL PROTECTED] wrote: Ok, so what is the PORT variable and how do i access it? Scott On 3 Aug 2000, at 22:08, Stas Bekman wrote: Not really, you can spoof both: http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e d_Connec.html -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
Re: how to check for ssl.
On Thu, 3 Aug 2000, Philip Mak wrote: On Thu, 3 Aug 2000, Stas Bekman wrote: use Apache::URI (); $r-parsed_uri-scheme; returns http or https Not really, you can spoof both: Does the user have to spoof it deliberately in order for the wrong one to be detected? If spoofing requires the user to do it on purpose, then in this case the $r-parsed_uri-scheme should be sufficient. The other method (putting HTTPS on a different port and using mod_rewrite to make it transparent) is better of course, but in case you can't do it for some reason, I think this will work too. They don't gain anything by spoofing http/https deliberately; it just makes their connection not secure. Not really. Of course this is not a thing happening to you every day, but someone can intercept the connection and spoof it for server as a secure, while in fact Eve (the interceptor's name that usually used in crypto docs, next to Alice and Bob) intercepts all the connections making the user submitting information in insecure way. Think about banking... So checking for the scheme would be Ok in 99.9% cases, if you don't care about the one that might be spoofed. _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://perl.org http://stason.org/TULARC http://singlesheaven.com http://perlmonth.com http://sourcegarden.org
