Tags:
create new tag
, view all tags

Question

With the 4.1.2 distribution and Apache 2, I made a configuration that uses SSL just for authenticated pages and for pages that have password forms. Thus plain-text passwords are never sent unencrypted.

Having non-authenticated accesses without SSL helps to keep down the CPU load; especially in situations where the majority of access will be unauthenticated read accesses.

My configuration uses Apache's RewriteRules, of course. The rules redirect requests from an http to a https server with the same name, and vice versa. Care is taken to provide protection for password-containing forms and correct error messages as well. Changes in LocalSite.cfg are also needed.

I would be willing to provide that configuration and explain it here on the TWiki main site. If you're interested, I would need guidance where such an explanation is best placed - which Web, which parent topic, etc. It is more than 200 lines of configuration (including comments) and needs some additional explanation of the concept, thus I refrained from simply dumping them as a comment into AvoidingPlainTextPasswords.

There is one small drawback in my configuration: It also shortens the URLs, as in ShorterUrlCookbook. (See also the two bugs that I opened in that context smile ) I would prefer to leave that part of the configuration in at first; since it is tested in that form. Maybe I could change that later. In fact, looking at the other support topics, it might be even more of interest to add some text how one configures an SSL Web server in the first place. wink

Environment

TWiki version: TWikiRelease04x01x02
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS: Unix / Linux
Web server: Apache 2, with mod_rewrite and mod_ssl
Perl version:  
Client OS:  
Web Browser:  
Categories: Installation, Security, Documentation

-- JoachimSchrod - 27 Apr 2007

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Um, Yes please smile Sounds like a rather useful Cookbook !!

-- SvenDowideit - 28 Apr 2007

That would make a great SSLConfigurationCookbook in the Codev Web, wouldn't it? I always thought TWiki should be configured like that right out of the box. But that would make the setup support even a greater nightmare as it already is (according to Svens latest postings wink ), i guess.

-- FranzJosefSilli - 28 Apr 2007

yeah, there's a lesson there - if we'd offer fewer options for customisation, upgrading would be totally automated and simple. But no, we have to go and be flexible..... still, this way we're in for infinite fun.

-- SvenDowideit - 28 Apr 2007

Joachim, thanks for your offer to share your work! We would love to get your input! I suggest to create SupplementalDocuments in the TWiki web. For example, a TWiki.HowToConfigureTWikiWithSSL, and a Support.UsingSslForAuthenticationOnly. We can link those topics from the distribution documents.

-- PeterThoeny - 28 Apr 2007

I have started with the proposed topic in Support. After gathering comments and a review round, one could put a consolidated version of that text as a Cookbook in the TWiki web.

Since discussion will probably continue on UsingSslForAuthenticationOnly, I close this question.

-- JoachimSchrod - 30 Apr 2007

Change status to:
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2007-04-30 - JoachimSchrod
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.