Implementing HTTPS-Only Sitewide

On 5 September 2012 07:32, Carla Schroder <carla bratgrrl.com> wrote:

[Hide Quoted Text]
> howdy techtalkers,
>
> I need to figure out the best way to implement HTTPS for a client's site, and
> it's driving me buggy. It's Drupal 7 on Apache on CentOS 6. We have an SSL
> cert already installed. The problem I'm struggling with is how to
> implement it in a way that doesn't get in the way of site visitors; I have actually
> seen suggestions to force HTTPS only by closing port 80, and to serve up an
> error page for all HTTP requests that tells the user to type HTTPS. That is
> definitely not an option; it must be handled by the server.
>
> I'm thinking the cleanest way, from the perspective of site visitors, is to
> redirect all HTTP requests to HTTPS. Just force HTTPS sitewide. Then I
> don't have to worry about accidentally missing a page or a form. So how do I do
> this? In Apache? Drupal? I've seen many different suggestions, and most of
> them look bizarre, and it seems odd that something this important is so poorly-
> documented. So help plz.
>
> thanks in advance,
>
> Carla
>
> btw I am developing great dislike for CPanel and other "helpful" frontends.
> They make a gawdawful mess sometimes!
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Carla Schroder
> ace Linux nerd
> author of Linux Cookbook,
> Linux Networking Cookbook,
> Book of Audacity
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> Techtalk mailing list
> Techtalk linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>

I have a private webserver set up with Ubuntu and Apache2.
I do pretty much what you're asking (I think). This is how I do it:

I have this bit added to /etc/apache2/sites-available/default

<Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

This redirects all requests to Https.

-Veronica
_______________________________________________
Techtalk mailing list
Techtalk linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk
 Hi,

To redirect the entire site, you could use a redirect

Redirect permanent / https://subdomain.domain.com/

However, SSL can be slow so I wouldn't run an entire site over SSL unless it was necessary or had low traffic.

On my server, I create the following rules  for redirecting admin areas to https
(the paths and file structure are Ubuntu-based so YMMV since the default Apache layout is different from other distros)

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.

    Listen 443
    NameVirtualHost *:443
    SSLStrictSNIVHostCheck on
</IfModule>

In my VirtualHost configuration, I've got the following

<VirtualHost *:443>
DocumentRoot /var/www/domain/dev
ServerName dev.domain.net
SSLEngine on
SSLCertificateFile /etc/ssl/crt/domain.crt
SSLCertificateKeyFile /etc/ssl/crt/domain.key

<IfModule mod_rewrite.c>
           RewriteEngine On
           RewriteRule !^/admin/(.*) - [C]
           RewriteRule ^/(.*) http://www.mysite.com/$1 [QSA,L]
</IfModule>
</VirtualHost>



hope that helps
chris
chris.madrone gmail.com
Which reminds me to point out that if you do URL rewriting at the
application level you should make sure your server never sets cookies
over a non-secure connection, and that it sets the secure attribute on
cookies so that a browser connecting over HTTP will not transmit the
cookie in cleartext. Even if you use HTTPS only, you might still be
leaking if you don't do that.

regards,
Wim
Wim De Smet <kromagg gmail.com>


On Mon, Sep 10, 2012 at 10:25 PM,  <adric adric.net> wrote:
[Hide Quoted Text]
> On 09/05/2012 08:47 PM, chris wrote:
> Hi,
> To redirect the entire site, you could use a
> redirect   Redirect permanent /
> https://subdomain.domain.com/  However, SSL can be slow
> so I wouldn't run an entire site over SSL unless it was
> necessary or had low traffic.  [snip ap[ache configs]
> hope that helps
> chris
>
> This is a good idea for performance and sanity but there are
> security concerns to having HTTP and HTTPS content on the
> same site.  Last year's BEAST attack tool takes
> advantage of that, for instance, and there are some
> cross-site scripting, session stealing, and other
> malfeasance made easier by having secure and insecure
> content both.
>
> Security experts have been urging the big site providers to go
> all-SSL for some time and they are reluctantly following this advice
> after the hullabaloo over Firesheep. Google has been big on
> pushing ahead with this.
>
> BEAST: http://vnhacker.blogspot.com/2011/09/beast.html (links about
>   BEAST abound, no ref to HTTP usage in any..)
> Firesheep: http://codebutler.com/firesheep?c=1 (home page)
> Google blog:
> http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html
>
> hth,
> adric
>
Advertisements

About samehramzylabib

See About on https://samehramzylabib.wordpress.com
This entry was posted in Configure My Systems. Bookmark the permalink.

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s