httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Pilka <christoph.pi...@googlemail.com>
Subject Re: [users@httpd] HTTPS local site -> HTTP remote destination & referer pass-through
Date Thu, 15 Dec 2011 12:43:53 GMT
Hi Tom et al.

hm, OK. I've noticed that some sites do exactely what we need in our case: disobeying this
"SHOULD NOT" in RFC 2616. E.g. I'm logged in at Facebook and click a link to one of the sites
I have log access to. I'm using HTTPS at the Facebook site. The referer header appears within
my apache log. Which kind of tech would make this available? Maybe a proxy in front of the
apache? Header rewriting?

Cheers,
Chris
 
On 15.12.2011, at 12:58, Tom Evans wrote:

> On Thu, Dec 15, 2011 at 10:59 AM, Christoph Pilka
> <christoph.pilka@googlemail.com> wrote:
>> Howdy,
>> 
>> according to RFC 2616 chapter 15.1.3 "Clients SHOULD NOT include a Referer header
field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol"
which makes sense in certain circumstances because of sensitive data the HTTPS request would
hand over. But is there any way to configure the HTTPS site's Apache to strip down this behaviour
and tell the web server to only deliver the hostname within the referer header? In our case
we need some kind of solution to pass-through the referer to external HTTP sites for evaluation
purposes. Our site uses purely HTTPS. Many thanks in advance for any hints.
>> 
>> Cheerio,
>> Chris
>> 
> 
> No, there is no way for a http server to tell a client "Actually, go
> ahead and disobey that RFC".
> 
> Cheers
> 
> Tom
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message