wiki: RedirectSSL request to move out of scratchpad

On Wed, Oct 24, 2007 at 05:51:21PM +0200, Jorge Schrauwen
wrote:
> I'd like to see http://wiki.
apache.org/httpd/RedirectSSL moved out of the
> scratchpad.
> I don't know (yet) how to do it myself or that it is
even safe to move out
> of it.
> 
> Anybody want to look at it?
> 
> (I don't think any work is needed except maybe some
spelling mistakes I let
> slip in)
> 
There's several things that needs fixing:

"Let's say you want [WWW] http://www.example.com
/secure/ to always be
sent over SSL"

and then the example goes on to suggest redirecting the
whole vhost - as
in the "solution" doesn't match the problem
statement.
The second example isn't exactly very good either - the way
it is set
up, it looks as if you have shared documentroots between the
http and
the https vhost, but then what du you suppose happens if you
have a
redirect inside the https vhost as well:
"Redirect permanent /login https://mysite
.example.com/login"
I'd probably also mention SSLRequireSSL:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
#sslrequiressl

As for the practical bits with moving things back and forth
in wikis, I
have no clue, I still think wikis are a bad idea - we
obviously don't
get much in the way of reviews there.

vh

Mads Toftum
-- 
http://soulfood.dk

------------------------------------------------------------
---------
To unsubscribe, e-mail: docs-unsubscribehttpd.apache.org
For additional commands, e-mail: docs-helphttpd.apache.org

> On Wed, Oct 24, 2007 at 05:51:21PM +0200, Jorge
Schrauwen wrote:
> > I'd like to see http://wiki.
apache.org/httpd/RedirectSSL moved out of the
> > scratchpad.

On 10/24/07, Mads Toftum <madstoftum.dk> wrote:
> There's several things that needs fixing:
>
> "Let's say you want [WWW] http://www.example.com
/secure/ to always be
> sent over SSL"

Hi,

This topic kinda forced me to give my comments  I've
written
few one (or more) liners at #apache earlier about this.

I personally dislike the idea that https and http point to
same
DocumentRoot and suggesting that as "defacto" for
users (as
Apache HTTPd's default config, number of Rewrite examples
and e.g. this scratchpad page do).

In my opinion there's e.g. the 2 following simple things:
- availability/performance; If you don't need https for
content,
  there's no point serving it with https
- confidentiality; If you need https, you usually
_definately_ don't
  want that content/traffic via plain http

(...and passing this kind of redirection to .htaccess gives
me shivers,
maybe my trust on Joe Average Apache user/"admin"
understanding
AllowOverride is not that strong - especially when the site
is migrated
to another server or there's major Apache HTTPd upgrade...)

I understand that default configuration has certain size
limitations
and same applies to number of htdocs and
"htdocs-ssl" directories
in default installation.

Wiki would be good place to point out this kind of
considerations,
optional ways to configure and separate http/https sites
etc.
Maybe giving a thought for security besides
keep-it-simple...
Btw. if someone points out e.g. common image/css/js/etc
files
which are required in both http and https - I kinda like
features
that Alias offers ;)

Comments about writing my suggestions as proposal to wiki
are fair. I'm not sure whether I have the time etc right
now...

Regards, lamp

-- 
 Tero Lampiluoto

------------------------------------------------------------
---------
To unsubscribe, e-mail: docs-unsubscribehttpd.apache.org
For additional commands, e-mail: docs-helphttpd.apache.org