Re: [SM-USERS] SSL Squirrelmail through Reverse Proxy (Pound)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Paul Lesniewski wrote:
> On 6/28/07, Daniel Watts <d...@ni...> wrote:
>> Dear List,
>>
>> Has anyone got a setup where you have a Pound front end reverse-proxy
>> listening for HTTPS traffic, and redirecting via HTTP to a batch of
>> backend web servers that squirrelmail is installed on?
>>
>> I have this working nicely except that the links and redirects are all
>> then written as "http" rather than "https". Is there any sane way I can
>> get the system so that security is maintained?
> 
> If SM has no information about SSL a connection, you simply cannot
> expect it to do anything but what it is doing.
> 
>> I'm thinking this might be to do with the "get_location" function in
>> squirrelmail - will I need to modify this somehow?
> 
> Most people do that.

Really? How do they rework it?

> 
>> The trouble is user's can connect either via HTTP or HTTPS and I don't
>> want just a blanket change of all links to HTTPS.
> 
> Why not?  Minimal overhead, better email security.

Ah I suppose the get_location could be done to always response with the 
HTTPS protocol.

> 
>> Perhaps I need to get Pound to insert an X-SSL-Request header which can
>> tell get_location whether to prepend http:// or https://
> 
> Might be a good solution.
> 
>> But this all sounds quite ugly and I'd rather not change squirrelmail code.
> 
> The only other option would be to install the mind_reader plugin that
> knows that despite the fact that page requests come in HTTP, you
> really wanted links in HTTPS, but only in some cases.  No sweat.  :-)

Lol very funny =)

I thought there might be some other configuration in terms of how my 
proxies / apache's work etc. It can't be that rare a task that someone 
hasn't come up with a way to make this work nicely.

I noticed that things would be a lot nicer if the header("Location..")'s 
where all relative. That way whatever the connection was, the browser 
would maintain the type and just change the URI.

I read somewhere that header redirects should always be absolute but 
relative ones do seem to always work. Don't suppose squirrelmail would 
consider going all relative? ;o)

Thanks for your assistance and thoughts as always Paul.

Dan