[imp] Running IMP on the internet
eltonic40@ecotech.com.lr
eltonic40@ecotech.com.lr
Sat, 25 May 2002 10:51:32 +0000
Eric,
But doesn't keeping SSL always on burn out? I have an SSL enabled Apache Web
Server and give SSL and non-SSL access to IMP. I realize that when using SSL,
after a while of transactions, I get PAGE CAN'T BE DISPLAYED! However when I
use non-SSL access, I don't get this error!
How about putting up SSL access on the login and leaving the rest non-SSL?
eltonic40
Quoting Eric Rostetter <eric.rostetter@physics.utexas.edu>:
> Quoting Kevin Saenz <ksaenz@citistreet.com.au>:
>
> > Ok do you have a quick and dirty how to setup horde and imp on
> > https only?
>
> No, but I'll summarize here (and post to the list) what I do in general
> terms.
>
> > Mainly the users that we have would have IE-5.5
>
> Should be fine, unless you have Mac IE users and they like the "back"
> button.
> The Mac IE versions won't work with forms (posts) on ssl connections (they
> will use GET instead of POST when you hit the back button on an ssl page).
> This can cause lots of unexpected behaviour when the back button is used.
> The solution, which works well with Horde/IMP, is to not use the back
> button.
>
> So, first you need a web server that supports ssl. I use apache with
> ssl (mod_ssl) support. In the apache config file, I tell it to listen to
> both
> port 80 and 443. I've done this with both a self-signed certificate, and
> now with a real cert from thawte, and had no trouble either way.
>
> I make everything use SSL with stanzas like:
>
> <Directory />
> SSLRequireSSL
> Options SymLinksIfOwnerMatch
> AllowOverride None
> </Directory>
>
> Pretty much any time I see a block like <Directory> or <Location> or
> whatever, I add the SSLRequireSSL tag just to be sure, and to document
> things. This may not work if you want non-ssl stuff on the same server.
> But for me, I make everything on the server be ssl, no exceptions.
>
> Anything that comes to port 80 I redirect to port 443 with the following
> code. I do this so users can type http:// and it will redirect them
> to https:// so they don't have to learn the right way to do things:
>
> RewriteEngine on
> RewriteCond %{SERVER_PORT} ^80$
> RewriteRule ^(.+) https://mail.ph.utexas.edu$1
>
> This works for my simple case. If you wanted a more complex setup, you
> could do it with a :80 virtual host istead, something like:
>
> <VirtualHost 128.83.155.21:80>
> SSLDisable
> ServerName mail1.ph.utexas.edu
> RewriteEngine On
> RewriteCond %(HTTP_USER_AGENT) MSIE
> RewriteRule ^/(.*) https://mail1.ph.utexas.edu:443/$1 [L]
> RewriteCond %(HTTP_USER_AGENT) Mozilla.5
> RewriteRule ^/(.*) https://mail1.ph.utexas.edu:443/$1 [L]
> Redirect / https://mail1.ph.utexas.edu/
> </VirtualHost>
>
> The basic idea of the above is to get the url showing in the Location: box
> of the browser to look right. Minor detail, but to some that is important.
> (This could affect not only the Location box, but also history, bookmarks,
> headers on printouts, etc. Anywhere the URL is used).
>
> In my 443 virtual host setup for ssl, I also include the following which
> fixes a lot of problems with IE in general:
>
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
>
> If you are having trouble, you might also try adding:
>
> SSLProtocol all -SSLv3
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
> Which clears up some errors on some browsers on some plateforms (I think
> I've used to above for problems with Mac MS IE before -- some Mac's couldn't
> pull up the pages with MS IE 5.x unless I added the above).
>
> In horde/config/horde.php I set the use_ssl variable to always use ssl:
>
> $conf['use_ssl'] = 1;
>
> Though it seems to work without that, I figure it can't hurt.
>
> That's all I do really.
>
> There is one "problem" with this. If you are reading an email with embedded
> <img> tags that reference http:// (not https://) urls, then what happens
> depends on the browser and version. On older browsers, this usually results
> in the "broken image" graphic showing up. This is, I think, the correct
> behaviour. In most MS IE browsers though, it will show the img instead.
> And in mozilla, and the very latest netscapes, it will also show the images.
> So it all depends on browser and version. I think the correct action is
> the old one (broken image and a warning about mixing secure and non-secure
> content) but the trend in all the browsers seems to be towards the new
> behaviour of accepting the image without a warning. Some browsers are
> inbetween (accept image, but issue a warning). While I prefer the old
> way, almost 100% of my users prefer the new way. So...
>
> Other than that, it works without problem. I've not had one single
> complaint
> from my Horde/IMP/etc. users about server/ssl problems.
>
> Hope that helps someone!
>
> --
> Eric Rostetter
> eric.rostetter@physics.utexas.edu
>
> Hey Rocky! Watch me pull a rabbit from my hat!
>
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
>
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/