[imp] Running IMP on the internet

Eric Rostetter eric.rostetter@physics.utexas.edu
Fri, 24 May 2002 11:15:19 -0500


Quoting Kevin Saenz <ksaenz@citistreet.com.au>:

> Ok do you have a quick and dirty how to setup horde and imp on
> https only?

No, but I'll summarize here (and post to the list) what I do in general
terms.
 
> Mainly the users that we have would have IE-5.5

Should be fine, unless you have Mac IE users and they like the "back" button.
The Mac IE versions won't work with forms (posts) on ssl connections (they
will use GET instead of POST when you hit the back button on an ssl page).
This can cause lots of unexpected behaviour when the back button is used.
The solution, which works well with Horde/IMP, is to not use the back button.

So, first you need a web server that supports ssl.  I use apache with 
ssl (mod_ssl) support.  In the apache config file, I tell it to listen to both
port 80 and 443.  I've done this with both a self-signed certificate, and
now with a real cert from thawte, and had no trouble either way.

I make everything use SSL with stanzas like:

<Directory />
    SSLRequireSSL
    Options SymLinksIfOwnerMatch
    AllowOverride None
</Directory>

Pretty much any time I see a block like <Directory> or <Location> or
whatever, I add the SSLRequireSSL tag just to be sure, and to document
things.  This may not work if you want non-ssl stuff on the same server.
But for me, I make everything on the server be ssl, no exceptions.

Anything that comes to port 80 I redirect to port 443 with the following
code.  I do this so users can type http:// and it will redirect them 
to https:// so they don't have to learn the right way to do things:

RewriteEngine on
RewriteCond     %{SERVER_PORT}  ^80$
RewriteRule     ^(.+)   https://mail.ph.utexas.edu$1

This works for my simple case.  If you wanted a more complex setup, you
could do it with a :80 virtual host istead, something like:

<VirtualHost 128.83.155.21:80>
  SSLDisable
  ServerName mail1.ph.utexas.edu
  RewriteEngine On
  RewriteCond %(HTTP_USER_AGENT)        MSIE
  RewriteRule ^/(.*)    https://mail1.ph.utexas.edu:443/$1    [L]
  RewriteCond %(HTTP_USER_AGENT)        Mozilla.5
  RewriteRule ^/(.*)    https://mail1.ph.utexas.edu:443/$1    [L]
  Redirect      /       https://mail1.ph.utexas.edu/
</VirtualHost>

The basic idea of the above is to get the url showing in the Location: box
of the browser to look right.  Minor detail, but to some that is important.
(This could affect not only the Location box, but also history, bookmarks,
headers on printouts, etc.  Anywhere the URL is used).

In my 443 virtual host setup for ssl, I also include the following which
fixes a lot of problems with IE in general:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

If you are having trouble, you might also try adding:

  SSLProtocol all -SSLv3
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

Which clears up some errors on some browsers on some plateforms (I think
I've used to above for problems with Mac MS IE before -- some Mac's couldn't
pull up the pages with MS IE 5.x unless I added the above).

In horde/config/horde.php I set the use_ssl variable to always use ssl:

$conf['use_ssl'] = 1;

Though it seems to work without that, I figure it can't hurt.

That's all I do really.

There is one "problem" with this.  If you are reading an email with embedded
<img> tags that reference http:// (not https://) urls, then what happens
depends on the browser and version.  On older browsers, this usually results
in the "broken image" graphic showing up.  This is, I think, the correct
behaviour.  In most MS IE browsers though, it will show the img instead.
And in mozilla, and the very latest netscapes, it will also show the images.
So it all depends on browser and version.  I think the correct action is
the old one (broken image and a warning about mixing secure and non-secure
content) but the trend in all the browsers seems to be towards the new
behaviour of accepting the image without a warning.  Some browsers are
inbetween (accept image, but issue a warning).   While I prefer the old
way, almost 100% of my users prefer the new way.  So...

Other than that, it works without problem.  I've not had one single complaint
from my Horde/IMP/etc. users about server/ssl problems.

Hope that helps someone!

-- 
Eric Rostetter
eric.rostetter@physics.utexas.edu

Hey Rocky!  Watch me pull a rabbit from my hat!