[imp] Creating an SSL-based authentication mechanism in a
virtualhost environtment
Issac Goldstand
margol at beamartyr.net
Thu Oct 23 08:12:30 PDT 2003
Hi,
I'm trying to make a very dynamic Horde/IMP setup where I use a single IP
to mass-virtualhost multiple domains (like webmail.domain1.com,
webmail.domain2.com, etc) all from one Horde installation. I've
successfully gotten the dynamics of that to work (by using the neat
imp_get__vinfo function in servers.php - which isn't completely secure, as
anyone can just send to the IP address with a forged Host: header, although
I hope to plug that hole by doing a DNS lookup to verify that the Host:
header resolves to the correct IP address from the server, but that's
getting a bit off topic). Anyway, now I'm trying to patch the login pages
so that it works like this:
http://webmail.domain.com/imp/login.php
|
\ /
https://secure.mydomain.com/horde/imp/redirect.php?session+other+junk+here
|
\ /
http://webmail.domain.com/imp/mailbox.php (or whatever URL it ought to go
to)
The easy part was patching the templates/login/login.inc file as such:
<form action="<?php echo
preg_replace('^/imp/^','',Horde::applicationUrl('https://secure.xxx.com/hord
e/imp/redirect.php',0,1),1) ?>" method="post" name="implogin">
So that's step one. Step two is proccessing the redirect, which is a bit
trickier because there are a LOT more places to intercept. The general idea
I had was to process the HTTP_REFERER environment variable at the VERY
beginning as so:
$refserver=preg_replace('^imp/.*^','',getenv('HTTP_REFERER'));
and then, every time we spit out a URL, modify it something like:
preg_replace('^https?://.+?/^',$refserver,Horde::applicationUrl($url,
true),1);
(the s? being just in case there's ever a customer who wants to pay for his
own SSL-enabled webmail.)
[NOTE: for this to work, enable_ssl in horde.php MUST be set to 0, and that
might just mess up the HTTPS logic I just went out of my way to create, but
let's take this one step at a time]
But I'm getting some very tricky errors, like:
[client xxx.xxx.xxx.xxx] PHP Notice: (null)(): No such host as
mail.secure.mydomain.com (errflg=2) in Unknown on line 0, referer:
http://webmail.domain1.com/imp/login.php?url=http%3A%2F%2Fwebmail.domain1.com%2Flogin.php
Now how the heck am I supposed to even *start* tracing that?!?
Any help would be MUCH appreciated. I'd really love to try to create
something that can eventually be patched into CVS (or perhaps just left
lying in /contrib)
Thanks in advance!
Issac
More information about the imp
mailing list