Re: Proxy configuration and SSL

Andreas Hartmann schrieb:
> Thorsten Scherler schrieb:
>> On Tue, 2007-06-12 at 18:17 +0200, Andreas Hartmann
wrote:
>>> Hi Lenya devs,
>>>
>>> I'm a bit confused how the proxy configuration
works
>>>
>>> ATM we have something like this:
>>>
>>>   <proxies ssl="false"
root="...">
>>>     <proxy area="live"
ssl="true" url="..."/>
>>>     <proxy area="live"
ssl="false" url="..."/>
>>>     <proxy area="authoring"
ssl="true" url="..."/>
>>>     <proxy area="authoring"
ssl="false" url="..."/>
>>>   </proxies>
>>>
>>> Why does the <proxies> element with
ssl=false have
>>> children with ssl=true?
>> http://marc.info/?l=lenya-dev&m=118036330826401&a
mp;w=2
>> "Yes, all urls outside of areas are not ssl
protected by default (at
>> least that is my understanding). Actually one can
even get rid of the
>> ssl. The ssl checkbox in the ac is the one that
determines whether a
>> url is ssl protected or not but you cannot have ac
for the global stuff
>> ATM and AFAIR."
> 
> But IIUC this would lead to the infamous "This
page contains insecure
> components" messages, wouldn't it? If a page is
served through SSL,
> all images, CSS etc. it references also have to be
served through
> SSL.

I have now configured Apache2 with SSL as a proxy for
Tomcat. The login
usecase is redirected to SSL. This results in the message I
mentioned:

  "You have requested an encrypted page that contains
some
   unencrypted information. [...]"

To avoid this, we'd have to use a global SSL proxy URL for
the CSS and
image URLs. IMO we should use the SSL variants of all
outgoing links
on an SSL-encrypted page by default.

WDYT?

-- Andreas

-- 
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch


------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org