sieger...@gmail.com wrote:
Hi Folks
- I am a squat on advanced Apache work. I would get a basic SSL
functionality to work.
So https://foobar.com works fine and gets me all the login windows I
designed. however currently all the images and other extensions like .pdf
are also using the https routing.
some image referred on that https link
e.g. https://foobar.com/loginhere.jpeg c
can be displayed using https but not http
I would like to JUST limit https usage to the login window html and ALL
other images pdf's not secured html ( one that do not need password ) should
use HTTP NOT HTTPS
What I cannot really find ( and Apache modules make a graduate course , as I
am realizing with all the futile digging in ) is HOW do I tell apache that
if you find an image file ( .jpeg or .pdf ) if it comes to https convert all
that into http .Has that something to do with rewrite or redirect modules .
I think there is something basic which you should understand first :
Apache does not "decide" to send this or that via HTTPS.
Apache responds to a request from the browser. If the browser requests
an object with a https://.. URL, then Apache will respond that way. If
the browser requests an object using a http://... URL, then Apache will
respond that way.
In other words, you have to make sure, in the pages *you* send back to
the browser, that the links, from the browser point of view, evaluate to
"http://.." and not "https://..".
Let me give you a simplified example.
1) The browser initially requests a page from the server, using (e.g.) a
URL like
https://server.mycompany.com/login-page.html
That means that this browser is
a) setting up a https connection to "server.mycompany.com"
b) on that connection, sending a request for host
"server.mycompany.com" and page "/login-page.html"
2) the server sends back the page, on the same https connection.
(Note that the connection is the one initiated by the browser. The
server never initiates a connection to the browser. It just responds on
the same connection which the browser has set up).
3) in that page, are links like :
<img src="/images/myimage.gif">
4) the browser is going to "evaluate" these URLs, make them into "full"
URLs, and then send new requests for those objects to the server.
In this case, the browser see that the URL is missing a protocol and a
servername, so it will add them first.
What will it add ?
It will take the protocol and the servername from which this page
(login-page) has "arrived". In other words, *the browser* here will take
the URL "/images/myimage.gif", and add the protocol and the server, to give
"https://server.mycompany.com/images/myimage.gif", and then *the
browser* will requests this URL from the server.
5) the server gets this request and answers appropriately.
If, instead, the links to the images, in the page login-page.html, had
been like
<img src="http://myserver.company.com/images/myimage.gif">
then the browser would request this image on a non-https channel, and
the server would respond on that non-https channel.
In other words, what happens is basically your problem, not Apache's.
The above is the simple way.
There are other, less efficient ways.
You can arrange, at the server level, that when it receives a request
for "https://server.company.com/images/something", it would *send a
REDIRECT response* to the browser, telling the browser essentially :
hey, that's the wrong address for that thing, please use this one instead.
That is called a 301 response, and you can do that with mod_rewrite.
The browser, when it receives this message, will then automatically
initiate a *new connection* with the server, and re-request the same
object using the URL which the 301 Apache response contained.
But consider that it is always less efficient than sending the correct
link in the page in the first place, because you need a first request to
the server, a server response, then a new request from the browser to
the server before you get your image.
What Apache cannot do, at level (5) above, in the middle of the
conversation, is decide to change the protocol of the connection from
HTTPS to HTTP. That would break the existing connection. And how would
the browser know that it suddenly is going to receive a response on a
new connection, set up by the server ?
That is not how HTTP works.
And that is also why you do not find anything that replies to your
question in the Apache documentation or code : because, from a HTTP
protocol point of view, it does not make any sense, so it's just not there.
Yes ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org