[imp] Creating an SSL-based authentication mechanism in a
virtualhost environtment
Jan Schneider
jan at horde.org
Thu Oct 23 08:41:27 PDT 2003
Zitat von Issac Goldstand <margol at beamartyr.net>:
> Hi,
> I'm trying to make a very dynamic Horde/IMP setup where I use a single
> IP
> to mass-virtualhost multiple domains (like webmail.domain1.com,
> webmail.domain2.com, etc) all from one Horde installation. I've
> successfully gotten the dynamics of that to work (by using the neat
> imp_get__vinfo function in servers.php - which isn't completely secure,
> as
> anyone can just send to the IP address with a forged Host: header,
> although
> I hope to plug that hole by doing a DNS lookup to verify that the Host:
> header resolves to the correct IP address from the server, but that's
> getting a bit off topic). Anyway, now I'm trying to patch the login
> pages
> so that it works like this:
>
> http://webmail.domain.com/imp/login.php
> |
> \ /
> https://secure.mydomain.com/horde/imp/redirect.php?session+other+junk+here
> |
> \ /
> http://webmail.domain.com/imp/mailbox.php (or whatever URL it ought to go
> to)
>
> The easy part was patching the templates/login/login.inc file as such:
>
> <form action="<?php echo
>
preg_replace('^/imp/^','',Horde::applicationUrl('https://secure.xxx.com/hord
> e/imp/redirect.php',0,1),1) ?>" method="post" name="implogin">
>
> So that's step one. Step two is proccessing the redirect, which is a bit
> trickier because there are a LOT more places to intercept. The general
> idea
> I had was to process the HTTP_REFERER environment variable at the VERY
> beginning as so:
>
> $refserver=preg_replace('^imp/.*^','',getenv('HTTP_REFERER'));
>
> and then, every time we spit out a URL, modify it something like:
> preg_replace('^https?://.+?/^',$refserver,Horde::applicationUrl($url,
> true),1);
> (the s? being just in case there's ever a customer who wants to pay for
> his
> own SSL-enabled webmail.)
> [NOTE: for this to work, enable_ssl in horde.php MUST be set to 0, and
> that
> might just mess up the HTTPS logic I just went out of my way to create,
> but
> let's take this one step at a time]
Not sure if this will work, because the referer might not be passed by the
browser. I'd instead send the original domain as a parameter (better:
hidden input field) to redirect.php. There you can store that domain in the
session and you'll have it available until the user logs out.
> But I'm getting some very tricky errors, like:
> [client xxx.xxx.xxx.xxx] PHP Notice: (null)(): No such host as
> mail.secure.mydomain.com (errflg=2) in Unknown on line 0, referer:
>
http://webmail.domain1.com/imp/login.php?url=http%3A%2F%2Fwebmail.domain1.com%2Flogin.php
>
> Now how the heck am I supposed to even *start* tracing that?!?
That's IMP trying to contact your IMAP server. I guess you also do some
fancy redirecting to the correct IMAP server, there is probably an error
buried.
Jan.
--
http://www.horde.org - The Horde Project
http://www.ammma.de - discover your knowledge
http://www.tip4all.de - Deine private Tippgemeinschaft
More information about the imp
mailing list