[imp] Running IMP on the internet

eltonic40@ecotech.com.lr eltonic40@ecotech.com.lr
Sat, 25 May 2002 10:51:32 +0000


Eric,

But doesn't keeping SSL always on burn out? I have an SSL enabled Apache Web 
Server and give SSL and non-SSL access to IMP. I realize that when using SSL, 
after a while of transactions, I get PAGE CAN'T BE DISPLAYED! However when I 
use non-SSL access, I don't get this error!

How about putting up SSL access on the login and leaving the rest non-SSL?

eltonic40


Quoting Eric Rostetter <eric.rostetter@physics.utexas.edu>:

> Quoting Kevin Saenz <ksaenz@citistreet.com.au>:
> 
> > Ok do you have a quick and dirty how to setup horde and imp on
> > https only?
> 
> No, but I'll summarize here (and post to the list) what I do in general
> terms.
>  
> > Mainly the users that we have would have IE-5.5
> 
> Should be fine, unless you have Mac IE users and they like the "back"
> button.
> The Mac IE versions won't work with forms (posts) on ssl connections (they
> will use GET instead of POST when you hit the back button on an ssl page).
> This can cause lots of unexpected behaviour when the back button is used.
> The solution, which works well with Horde/IMP, is to not use the back
> button.
> 
> So, first you need a web server that supports ssl.  I use apache with 
> ssl (mod_ssl) support.  In the apache config file, I tell it to listen to
> both
> port 80 and 443.  I've done this with both a self-signed certificate, and
> now with a real cert from thawte, and had no trouble either way.
> 
> I make everything use SSL with stanzas like:
> 
> <Directory />
>     SSLRequireSSL
>     Options SymLinksIfOwnerMatch
>     AllowOverride None
> </Directory>
> 
> Pretty much any time I see a block like <Directory> or <Location> or
> whatever, I add the SSLRequireSSL tag just to be sure, and to document
> things.  This may not work if you want non-ssl stuff on the same server.
> But for me, I make everything on the server be ssl, no exceptions.
> 
> Anything that comes to port 80 I redirect to port 443 with the following
> code.  I do this so users can type http:// and it will redirect them 
> to https:// so they don't have to learn the right way to do things:
> 
> RewriteEngine on
> RewriteCond     %{SERVER_PORT}  ^80$
> RewriteRule     ^(.+)   https://mail.ph.utexas.edu$1
> 
> This works for my simple case.  If you wanted a more complex setup, you
> could do it with a :80 virtual host istead, something like:
> 
> <VirtualHost 128.83.155.21:80>
>   SSLDisable
>   ServerName mail1.ph.utexas.edu
>   RewriteEngine On
>   RewriteCond %(HTTP_USER_AGENT)        MSIE
>   RewriteRule ^/(.*)    https://mail1.ph.utexas.edu:443/$1    [L]
>   RewriteCond %(HTTP_USER_AGENT)        Mozilla.5
>   RewriteRule ^/(.*)    https://mail1.ph.utexas.edu:443/$1    [L]
>   Redirect      /       https://mail1.ph.utexas.edu/
> </VirtualHost>
> 
> The basic idea of the above is to get the url showing in the Location: box
> of the browser to look right.  Minor detail, but to some that is important.
> (This could affect not only the Location box, but also history, bookmarks,
> headers on printouts, etc.  Anywhere the URL is used).
> 
> In my 443 virtual host setup for ssl, I also include the following which
> fixes a lot of problems with IE in general:
> 
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> 
> If you are having trouble, you might also try adding:
> 
>   SSLProtocol all -SSLv3
>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> 
> Which clears up some errors on some browsers on some plateforms (I think
> I've used to above for problems with Mac MS IE before -- some Mac's couldn't
> pull up the pages with MS IE 5.x unless I added the above).
> 
> In horde/config/horde.php I set the use_ssl variable to always use ssl:
> 
> $conf['use_ssl'] = 1;
> 
> Though it seems to work without that, I figure it can't hurt.
> 
> That's all I do really.
> 
> There is one "problem" with this.  If you are reading an email with embedded
> <img> tags that reference http:// (not https://) urls, then what happens
> depends on the browser and version.  On older browsers, this usually results
> in the "broken image" graphic showing up.  This is, I think, the correct
> behaviour.  In most MS IE browsers though, it will show the img instead.
> And in mozilla, and the very latest netscapes, it will also show the images.
> So it all depends on browser and version.  I think the correct action is
> the old one (broken image and a warning about mixing secure and non-secure
> content) but the trend in all the browsers seems to be towards the new
> behaviour of accepting the image without a warning.  Some browsers are
> inbetween (accept image, but issue a warning).   While I prefer the old
> way, almost 100% of my users prefer the new way.  So...
> 
> Other than that, it works without problem.  I've not had one single
> complaint
> from my Horde/IMP/etc. users about server/ssl problems.
> 
> Hope that helps someone!
> 
> -- 
> Eric Rostetter
> eric.rostetter@physics.utexas.edu
> 
> Hey Rocky!  Watch me pull a rabbit from my hat!
> 
> -- 
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
> 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/