Forum OpenACS Q&A: ad_restrict_to_https broken?

I'm bringing up OpenACS 3.2.4 on a vanilla RH 6.2 system;
AOLServer 3.3pre3 and PG 7.0.3 (rpm version).

Following the OpenACS Install Guide, I get to:

  6.4 Adding Yourself as a User and Making Yourself a Sysadmin

When I attempt to access admin/ug however I get a "Redirection"
pointing me at the corresponding https URL; which would be OK
except that that in turn redirects back to itself (?!).  The page
text is:

  Redirection

  The requested URL has moved here. 

but the link from "here" is the self same (https:) URL...

Digging in, I find this is apparently resulting from this
function in ad-admin.tcl:

---

proc ad_restrict_to_https {conn args why} {
#    if { [ns_conn driver] == "nsssl" } {
        # we're happy; administrator is being safe and password
        # can't be sniffed
#       return "filter_ok"
#    } else {
        # ad_return_error "Please use HTTPS" "Sorry but you have to
use HTTPS to talk to the admin pages."
        # have AOLserver abort the thread
        set secure_hostname [ns_config ns/server/[ns_info
server]/module/nsssl Hostname]
        ns_returnredirect "https://$secure_hostname[ns_conn url]"
        return "filter_return"
#    }
}

---

If I hack this (back to what it apparently was at some time in the
past?), I can get things working again:

---

proc ad_restrict_to_https {conn args why} {
    if { [ns_conn driver] == "nsssl" } {
        # we're happy; administrator is being safe and password
        # can't be sniffed
        return "filter_ok"
    } else {
         ad_return_error "Please use HTTPS" "Sorry but you have to use
HTTPS to talk to the admin pages."
        # have AOLserver abort the thread
#       set secure_hostname [ns_config ns/server/[ns_info
server]/module/nsssl Hostname]
#       ns_returnredirect "https://$secure_hostname[ns_conn url]"
#       return "filter_return"
    }
}

---

I've scoured the openacs forums, but can't find a direct
discussion of this; although there is another different suggested
definition for this function at:

https://openacs.org/forums/message-view?message_id=15982

but with no discussion or explanation.

So, my question: I'm not (yet) a tcl expert, but at first glance
I can't see how the distributed version of the function can
possibly work - it seems doomed to keep on redirecting, since
there is no (obvious) conditional on whether the attempted access
actually *is* already via https.  Yet it seems that this version
was deliberately introduced at some time as an improvement (?) on
the previous version - which, as I say, actually works for me.

Can anyone explain whether (and if so how) the distributed
version does actually work?

Many thanks,

- Barry.

Thanks for the response Don - that helps clarify matters!

    DonB> When it originally was distributed, you couldn't use
    DonB> nsssl because AOL couldn't supply the BSAFE libraries,
    DonB> which are proprietary.  OpenSSL works with AOLserver,
    DonB> but there was concern over the legality of that project
    DonB> due to the fact that it contained code based on
    DonB> information illegally retrieved from RSA.
[...]

Yeah - it all seems very complicated.  I just took the linux
*binary* of aolserver, which includes a binary nsssle (USA
"export" grade encryption only).  This avoided trying to compile
nsssl from source (which requires the BSAFE libs).  I'll probably
try to get my head around using OpenSSL later...

    DonB> I'm not certain what the patch you mention was trying
    DonB> to accomplish, clearly it doesn't work.  When we first
    DonB> distributed OpenACS you needed to run with the
    DonB> "restrict to https" parameters (in /parameters/ad.tcl)
    DonB> commented out, or you were on your own to get OpenSSL
    DonB> up and make it work with AOLserver and OpenACS.

Fair enough - but it's a bit of a "Gotcha" in the current
distribution, because these are *not* already commented out in
the sample ad.tcl; and the comments around them simply say you
need to have an SSL listener running on your server for it to
work...

    DonB> If a couple of other folks will verify that your patch
    DonB> works (I'm still not using nsssl on my site) I'll apply
    DonB> it to the CVS tree.

Well ... just for the heck of it, I have just tried Ola Hanson's
version - which seems to be partly reverting to the "original"
(as I attempted previously), but with an enhancement so that
attempted access to trees that have been specified for
restriction to SSL doesn't just result in a message asking the
user to switch to https, but *automatically* redirects to https;
and, better still, redirects back to plain http once you go back
outside such trees.  I tweaked it now to fix up line breaks that
got munged in Ola's posting, and to revert from "nsopenssl" to
"nsssl".  My diff (relative to tcl/ad-admin in the openacs 3.2.4
distribution) is below.  It *seems* to work fine for me.  I
suggest that if anyone is willing to follow up on Don's request to
test this in anger, it's probably better to try out this "higher
functionality" version, and let that be what goes into the CVS
tree.  (Mind you, it's all a bit moot: I *think* this is changed
again in ACS 4.x anyway...)

Cheers,

- Barry.

----- snip

46a47,59
> # ---
> # See:
> #
> # https://openacs.org/forums/message-view?message_id=15982&topic_id=11&topic=OpenACS
> # "Smoother SSL Surfing"
> #
> # Modified to correct munged linebreaks, and replace nsopenssl
> # with plain nsssl ...
> #
> # Barry.McMullin@dcu.ie
> # 25-Jan-2001
> #
> # ---
73a87,88
>     # Below line added August 26, 2000, by Ola Hansson (rockola@mail.com) 
>     ad_register_filter preauth GET /* exit_from_https
77,87c92,102
< #    if { [ns_conn driver] == "nsssl" } {
<  	# we're happy; administrator is being safe and password
<  	# can't be sniffed
< # 	return "filter_ok"
< #    } else {
<  	# ad_return_error "Please use HTTPS" "Sorry but you have to use HTTPS to talk to the admin pages."
<  	# have AOLserver abort the thread
< 	set secure_hostname [ns_config ns/server/[ns_info server]/module/nsssl Hostname]
< 	ns_returnredirect "https://$secure_hostname[ns_conn url]"
<  	return "filter_return"
< #    }
---
>     if { [ns_conn driver] == "nsssl" } {
> 	# we're happy; administrator is being safe and password
> 	# can't be sniffed
> 	return "filter_ok"
>     } else {
> 	# The lines below were added on August 26, 2000, by Ola Hansson (rockola@mail.com)
> 	append secure_url "https://[ns_info hostname][ns_conn url]"
> 	ns_returnredirect $secure_url
> 	# have AOLserver abort the thread
> 	return "filter_return"
>     }
89a105,122
> # The proc below was added on August 26, 2000, by Ola Hansson (rockola@mail.com)
> # It lets you out of HTTPS when going back to unrestricted URLs
> # This filter proc is registered for /* and imposes some overhead 
> # because it's called before every page load... 
> proc exit_from_https {args why} {
>     # Return normal HTTP requests without argue
>     if { [ns_conn driver] == "nssock" } {
> 	return "filter_ok"
>     # Remain in HTTPS if moving within restricted dirs (in this case /admin and /ecommerce)
>     } elseif { [string first "/admin" [ns_conn url]] != -1 || [string first "/ecommerce" [ns_conn url]] != -1} {
> 	return "filter_ok"
>     } else {
> 	# Redirect to HTTP if moving out of restricted dirs
> 	append unsecure_url "http://[ns_info hostname][ns_conn url]"
> 	ns_returnredirect $unsecure_url
> 	return "filter_return"
>     }
> }

---- snip