From owner-freebsd-isp  Mon May 15 14:44:49 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from rock.ghis.net (rock.ghis.net [209.222.164.7])
	by hub.freebsd.org (Postfix) with ESMTP id EC75237B59C
	for <freebsd-isp@FreeBSD.ORG>; Mon, 15 May 2000 14:44:45 -0700 (PDT)
	(envelope-from will@blackdawn.com)
Received: from argon.blackdawn.com ([209.69.76.105])
	by rock.ghis.net (8.9.3/8.9.3) with ESMTP id OAA74190;
	Mon, 15 May 2000 14:44:41 -0700 (PDT)
Received: by argon.blackdawn.com (Postfix, from userid 1000)
	id A93F6194D; Mon, 15 May 2000 17:44:17 -0400 (EDT)
Date: Mon, 15 May 2000 17:44:17 -0400
From: Will Andrews <andrews@technologist.com>
To: Steve Price <sprice@hiwaay.net>
Cc: freebsd-isp@FreeBSD.ORG
Subject: Re: apache SSL question
Message-ID: <20000515174417.B96150@argon.blackdawn.com>
References: <Pine.OSF.4.21.0005151526200.11024-100000@fly.HiWAAY.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <Pine.OSF.4.21.0005151526200.11024-100000@fly.HiWAAY.net>; from sprice@hiwaay.net on Mon, May 15, 2000 at 04:12:14PM -0500
X-Operating-System: FreeBSD 5.0-CURRENT i386
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, May 15, 2000 at 04:12:14PM -0500, Steve Price wrote:
> I'm trying to rewrite URLs for a secure area of my website.
> In essence if a user tries to access the following URL
> 
> 	http://www.mymachine.dom/secure/index.html
> 
> then it will be rewritten as this.
> 
> 	https://www.mymachine.dom/secure/index.html
> 
> Here's what I have in apache.conf.
> 
> <IfDefine SSL>
> <Directory /usr/local/share/apache/htdocs/secure>
> RewriteEngine	On
> RewriteCond	%{HTTPS} !=on
> RewriteRule	^(.*)	https://%{HTTP_HOST}/secure/$1	[R]
> </Directory>
> </IfDefine>
> 
> This appears to work.  However I'd like to get a second opinion
> on whether this is a good idea.  Is there a better way?

This should work, but you need to make sure that you don't allow this
sort of thing for ALL of the data under
/usr/local/share/apache/htdocs/secure, but only the data that can be
transferred unencrypted (which is what will happen since you send a
http:// request first, then it redirects you to https://). Hopefully
that can be restricted to ``index.html'' and other files.

Later,
-- 
Will Andrews <andrews@technologist.com>
GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w---
?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ 
G++>+++ e->++++ h! r-->+++ y?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message