httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "simon" <simon...@cs.toronto.edu>
Subject Re: [users@httpd] mod_ssl mod_rewrite problem
Date Thu, 08 Apr 2004 02:54:18 GMT
Thank you Josh for your considered and fast response.

If you are correct, why do I still get a warning when I try to retrieve the
image directly via
http://server/logos.gif but not when I try to retrieve the index.html
(without the image) page via http?

Both GETs have a redirect via http to https but only the GET for index.html
works, while the GET for the image does not.

So using your desciption of the events (which makes sense) but applying it
to a single GET to retrieve the image, we would have:

1. Client requests logos.gif using HTTP.  (http://server/logos.gif)
2. Server redirects client to logos.gif on HTTPS. (https://server/logos.gif)
3. Client grabs logos.gif on HTTPS, and displays it.

Yet even then I get a warning about displaying insecure items.

Why would this work for index.html (with the link to the image removed) but
not for the gif?
Is it not the same exact sequence of steps?  Or am I completely missing the
point (quite possible)?
But again thank you very much for the response.

S.T.








----- Original Message ----- 
From: "Joshua Slive" <joshua@slive.ca>
To: <users@httpd.apache.org>
Sent: Wednesday, April 07, 2004 10:27 PM
Subject: Re: [users@httpd] mod_ssl mod_rewrite problem


>
> On Wed, 7 Apr 2004, simon wrote:
> > I have this working using:
> >
> > RewriteEngine on
> > RewriteCond %{HTTPS} !=on
> > RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
> >
> > The nasty problem is that when I redirect a request for a page (e.g.
> > index.html) that contains an <img src> tag in the form of:
> >
> > <img src = "http://server/logos.gif">,
> >
> > IE 6 continually complains that the page contains insecured items and
> > refuses to display the yellow padlock. However, an examination of my
rewrite
> > logs indicates that the GET for the logos.gif, in the html, is being
> > redirected correctly:
>
> What happens is this:
>
> 1. Client requests index.html using HTTP.
> 2. Server redirects client to index.html on HTTPS.
> 3. Client grabs index.html on HTTPS, parses it, and requests logos.gif on
> HTTP.
> 4. Server redirects request for logos.gif to HTTPS.
> 5. Client requests logos.gif on HTTPS.
>
> The warning from the client comes at step 3, since the client has no way
> to know that the request will be redirected to a secure server.  And even
> if it is redirected, the redirect itself comes over HTTP, which the client
> considers insecure, and therefore you don't get a padlock.  (The insecure
> item in the end is the redirect, not the image.)
>
> > My inclination is to modify all the <img src> tags so that they all
point to
> > a relative path name instead of a URL but I inherited the code and this
> > would prove onerous. Moreover, it does not seem reasonable to me that my
> > redirects should cause IE6 such problems.
>
> I think changing the links is the only option.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message