httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Apache on F11. ANY APPROACH ?excluding images pdfs etc from Https ( ssl ) routing
Date Mon, 02 Nov 2009 08:57:13 GMT
sieger007@gmail.com wrote:
> Hi Folks
> 
>    - I am a squat on advanced Apache work. I would get a basic SSL
>    functionality to work.
> 
> So https://foobar.com works fine and gets me all the login windows I
> designed. however currently all the images and other extensions like .pdf
> are also using the https routing.
> some image referred on that https link
> e.g. https://foobar.com/loginhere.jpeg c
> can be displayed using https but not http
> I would like to JUST limit https usage to the login window html and ALL
> other images pdf's not secured html ( one that do not need password ) should
> use HTTP NOT HTTPS
> What I cannot really find ( and Apache modules make a graduate course , as I
> am realizing with all the futile digging in ) is HOW do I tell apache that
> if you find an image file ( .jpeg or .pdf ) if it comes to https convert all
> that into http .Has that something to do with rewrite or redirect modules .
> 

I think there is something basic which you should understand first :
Apache does not "decide" to send this or that via HTTPS.
Apache responds to a request from the browser.  If the browser requests 
an object with a https://.. URL, then Apache will respond that way.  If 
the browser requests an object using a http://... URL, then Apache will 
respond that way.

In other words, you have to make sure, in the pages *you* send back to 
the browser, that the links, from the browser point of view, evaluate to 
"http://.." and not "https://..".

Let me give you a simplified example.

1) The browser initially requests a page from the server, using (e.g.) a 
URL like
https://server.mycompany.com/login-page.html
That means that this browser is
   a) setting up a https connection to "server.mycompany.com"
   b) on that connection, sending a request for host 
"server.mycompany.com" and page "/login-page.html"

2) the server sends back the page, on the same https connection.
(Note that the connection is the one initiated by the browser. The 
server never initiates a connection to the browser. It just responds on 
the same connection which the browser has set up).

3) in that page, are links like :
<img src="/images/myimage.gif">

4) the browser is going to "evaluate" these URLs, make them into "full" 
URLs, and then send new requests for those objects to the server.
In this case, the browser see that the URL is missing a protocol and a 
servername, so it will add them first.
What will it add ?
It will take the protocol and the servername from which this page 
(login-page) has "arrived". In other words, *the browser* here will take 
the URL "/images/myimage.gif", and add the protocol and the server, to give
"https://server.mycompany.com/images/myimage.gif", and then *the 
browser* will requests this URL from the server.

5) the server gets this request and answers appropriately.

If, instead, the links to the images, in the page login-page.html, had 
been like
<img src="http://myserver.company.com/images/myimage.gif">
then the browser would request this image on a non-https channel, and 
the server would respond on that non-https channel.

In other words, what happens is basically your problem, not Apache's.

The above is the simple way.
There are other, less efficient ways.

You can arrange, at the server level, that when it receives a request 
for "https://server.company.com/images/something", it would *send a 
REDIRECT response* to the browser, telling the browser essentially : 
hey, that's the wrong address for that thing, please use this one instead.
That is called a 301 response, and you can do that with mod_rewrite.
The browser, when it receives this message, will then automatically 
initiate a *new connection* with the server, and re-request the same 
object using the URL which the 301 Apache response contained.

But consider that it is always less efficient than sending the correct 
link in the page in the first place, because you need a first request to 
the server, a server response, then a new request from the browser to 
the server before you get your image.

What Apache cannot do, at level (5) above, in the middle of the 
conversation, is decide to change the protocol of the connection from 
HTTPS to HTTP.  That would break the existing connection. And how would 
the browser know that it suddenly is going to receive a response on a 
new connection, set up by the server ?
That is not how HTTP works.
And that is also why you do not find anything that replies to your 
question in the Apache documentation or code : because, from a HTTP 
protocol point of view, it does not make any sense, so it's just not there.
Yes ?




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message