From: Daniel W <d...@ni...> - 2007-06-28 21:46:24
|
Paul Lesniewski wrote: > On 6/28/07, Daniel Watts <d...@ni...> wrote: >> Dear List, >> >> Has anyone got a setup where you have a Pound front end reverse-proxy >> listening for HTTPS traffic, and redirecting via HTTP to a batch of >> backend web servers that squirrelmail is installed on? >> >> I have this working nicely except that the links and redirects are all >> then written as "http" rather than "https". Is there any sane way I can >> get the system so that security is maintained? > > If SM has no information about SSL a connection, you simply cannot > expect it to do anything but what it is doing. > >> I'm thinking this might be to do with the "get_location" function in >> squirrelmail - will I need to modify this somehow? > > Most people do that. Really? How do they rework it? > >> The trouble is user's can connect either via HTTP or HTTPS and I don't >> want just a blanket change of all links to HTTPS. > > Why not? Minimal overhead, better email security. Ah I suppose the get_location could be done to always response with the HTTPS protocol. > >> Perhaps I need to get Pound to insert an X-SSL-Request header which can >> tell get_location whether to prepend http:// or https:// > > Might be a good solution. > >> But this all sounds quite ugly and I'd rather not change squirrelmail code. > > The only other option would be to install the mind_reader plugin that > knows that despite the fact that page requests come in HTTP, you > really wanted links in HTTPS, but only in some cases. No sweat. :-) Lol very funny =) I thought there might be some other configuration in terms of how my proxies / apache's work etc. It can't be that rare a task that someone hasn't come up with a way to make this work nicely. I noticed that things would be a lot nicer if the header("Location..")'s where all relative. That way whatever the connection was, the browser would maintain the type and just change the URI. I read somewhere that header redirects should always be absolute but relative ones do seem to always work. Don't suppose squirrelmail would consider going all relative? ;o) Thanks for your assistance and thoughts as always Paul. Dan |