Forum OpenACS Q&A: Response to ad_restrict_to_https broken?

Collapse
Posted by Barry McMullin on

Thanks for the response Don - that helps clarify matters!

    DonB> When it originally was distributed, you couldn't use
    DonB> nsssl because AOL couldn't supply the BSAFE libraries,
    DonB> which are proprietary.  OpenSSL works with AOLserver,
    DonB> but there was concern over the legality of that project
    DonB> due to the fact that it contained code based on
    DonB> information illegally retrieved from RSA.
[...]

Yeah - it all seems very complicated.  I just took the linux
*binary* of aolserver, which includes a binary nsssle (USA
"export" grade encryption only).  This avoided trying to compile
nsssl from source (which requires the BSAFE libs).  I'll probably
try to get my head around using OpenSSL later...

    DonB> I'm not certain what the patch you mention was trying
    DonB> to accomplish, clearly it doesn't work.  When we first
    DonB> distributed OpenACS you needed to run with the
    DonB> "restrict to https" parameters (in /parameters/ad.tcl)
    DonB> commented out, or you were on your own to get OpenSSL
    DonB> up and make it work with AOLserver and OpenACS.

Fair enough - but it's a bit of a "Gotcha" in the current
distribution, because these are *not* already commented out in
the sample ad.tcl; and the comments around them simply say you
need to have an SSL listener running on your server for it to
work...

    DonB> If a couple of other folks will verify that your patch
    DonB> works (I'm still not using nsssl on my site) I'll apply
    DonB> it to the CVS tree.

Well ... just for the heck of it, I have just tried Ola Hanson's
version - which seems to be partly reverting to the "original"
(as I attempted previously), but with an enhancement so that
attempted access to trees that have been specified for
restriction to SSL doesn't just result in a message asking the
user to switch to https, but *automatically* redirects to https;
and, better still, redirects back to plain http once you go back
outside such trees.  I tweaked it now to fix up line breaks that
got munged in Ola's posting, and to revert from "nsopenssl" to
"nsssl".  My diff (relative to tcl/ad-admin in the openacs 3.2.4
distribution) is below.  It *seems* to work fine for me.  I
suggest that if anyone is willing to follow up on Don's request to
test this in anger, it's probably better to try out this "higher
functionality" version, and let that be what goes into the CVS
tree.  (Mind you, it's all a bit moot: I *think* this is changed
again in ACS 4.x anyway...)

Cheers,

- Barry.

----- snip

46a47,59
> # ---
> # See:
> #
> # https://openacs.org/forums/message-view?message_id=15982&topic_id=11&topic=OpenACS
> # "Smoother SSL Surfing"
> #
> # Modified to correct munged linebreaks, and replace nsopenssl
> # with plain nsssl ...
> #
> # Barry.McMullin@dcu.ie
> # 25-Jan-2001
> #
> # ---
73a87,88
>     # Below line added August 26, 2000, by Ola Hansson (rockola@mail.com) 
>     ad_register_filter preauth GET /* exit_from_https
77,87c92,102
< #    if { [ns_conn driver] == "nsssl" } {
<  	# we're happy; administrator is being safe and password
<  	# can't be sniffed
< # 	return "filter_ok"
< #    } else {
<  	# ad_return_error "Please use HTTPS" "Sorry but you have to use HTTPS to talk to the admin pages."
<  	# have AOLserver abort the thread
< 	set secure_hostname [ns_config ns/server/[ns_info server]/module/nsssl Hostname]
< 	ns_returnredirect "https://$secure_hostname[ns_conn url]"
<  	return "filter_return"
< #    }
---
>     if { [ns_conn driver] == "nsssl" } {
> 	# we're happy; administrator is being safe and password
> 	# can't be sniffed
> 	return "filter_ok"
>     } else {
> 	# The lines below were added on August 26, 2000, by Ola Hansson (rockola@mail.com)
> 	append secure_url "https://[ns_info hostname][ns_conn url]"
> 	ns_returnredirect $secure_url
> 	# have AOLserver abort the thread
> 	return "filter_return"
>     }
89a105,122
> # The proc below was added on August 26, 2000, by Ola Hansson (rockola@mail.com)
> # It lets you out of HTTPS when going back to unrestricted URLs
> # This filter proc is registered for /* and imposes some overhead 
> # because it's called before every page load... 
> proc exit_from_https {args why} {
>     # Return normal HTTP requests without argue
>     if { [ns_conn driver] == "nssock" } {
> 	return "filter_ok"
>     # Remain in HTTPS if moving within restricted dirs (in this case /admin and /ecommerce)
>     } elseif { [string first "/admin" [ns_conn url]] != -1 || [string first "/ecommerce" [ns_conn url]] != -1} {
> 	return "filter_ok"
>     } else {
> 	# Redirect to HTTP if moving out of restricted dirs
> 	append unsecure_url "http://[ns_info hostname][ns_conn url]"
> 	ns_returnredirect $unsecure_url
> 	return "filter_return"
>     }
> }

---- snip