Forum OpenACS Q&A: Smoother SSL Surfing

Collapse
1: Smoother SSL Surfing
Posted by Ola Hansson on 08/26/00 10:21 PM
If you're using SSL or OpenSSL you might find this modification of "ad-admin.tcl" useful. Please let me know if you have something better or improve upon this... (The pagebreaking was screwed up, sorry) /ola 

# the proc below was added June 27, 1999, inspired by Malte Sussdorff
(sussdorff@sussdorff.de)
proc_doc ad_ssl_available_p {} "Returns 1 if this AOLserver has the
SSL module installed." {
    if { [ns_config ns/server/[ns_info server]/modules nsopenssl] !=
"" } {
	return 1
    } else {
	return 0
    }
}

ns_share -init {set admin_ssl_filters_installed_p 0}
admin_ssl_filters_installed_p

if {!$admin_ssl_filters_installed_p && [ad_ssl_available_p]} {
    set admin_ssl_filters_installed_p 1
    # we'd like to use ad_parameter_all_values_as_list here but can't
because 
    # it isn't defined until ad-defs.tcl
    set the_set [ns_configsection "ns/server/[ns_info server]/acs"]
    set filter_patterns [list]
    for {set i 0} {$i < [ns_set size $the_set]} {incr i} {
	if { [ns_set key $the_set $i] == "RestrictToSSL" } {
	    lappend filter_patterns [ns_set value $the_set $i]
	}
    }
    foreach pattern $filter_patterns {
	ad_register_filter preauth GET $pattern ad_restrict_to_https
	ns_log Notice "/tcl/ad-admin.tcl is restricting URLs matching
"$pattern" to SSL"
    }
    # Below line added August 26, 2000, by Ola Hansson
(rockola@mail.com) 
    ad_register_filter preauth GET /* exit_from_https
}

proc ad_restrict_to_https {conn args why} {
    if { [ns_conn driver] == "nsopenssl" } {
	# we're happy; administrator is being safe and password
 	# can't be sniffed
	return "filter_ok"
    } else {
	# The lines below were added on August 26, 2000, by Ola Hansson
(rockola@mail.com)
	append secure_url "https://[ns_info hostname][ns_conn url]"
	ns_returnredirect $secure_url
	# have AOLserver abort the thread
	return "filter_return"
    }
}

# The proc below was added on August 26, 2000, by Ola Hansson
(rockola@mail.com)
# It lets you out of HTTPS when going back to unrestricted URLs
# This filter proc is registered for /* and imposes some overhead 
# because it's called before every page load... 
proc exit_from_https {args why} {
    # Return normal HTTP requests without argue
    if { [ns_conn driver] == "nssock" } {
	return "filter_ok"
    # Remain in HTTPS if moving within restricted dirs (in this case
/admin and /ecommerce)
    } elseif { [string first "/admin" [ns_conn url]] != -1 || [string
first "/ecommerce" [ns_conn url]] != -1} {
	return "filter_ok"
    } else {
	# Redirect to HTTP if moving out of restricted dirs
	append unsecure_url "http://[ns_info hostname][ns_conn url]"
	ns_returnredirect $unsecure_url
	return "filter_return"
    }
}