tips:httpslogin
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
tips:httpslogin [2010-07-01 23:57] – 93.219.33.193 | tips:httpslogin [2018-09-29 11:31] (current) – [Apache] added example of a simple rule for https for all pages bruno.genere | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Force Login via HTTPS ====== | ====== Force Login via HTTPS ====== | ||
- | Using Apache' | + | ===== Plugins ====== |
+ | ==== forcessllogin ==== | ||
+ | See https:// | ||
+ | =====Apache===== | ||
+ | Using Apache' | ||
- | You may want to read up on [[:rewrite|general | + | You may also need that all requests (and not only login) use HTTPS. To do so, create an .htaccess file in the root directory of DokuWiki and insert the following code. |
+ | <code apache .htaccess> | ||
+ | RewriteCond %{HTTPS} !on | ||
+ | RewriteRule (.*) https:// | ||
+ | </ | ||
+ | |||
+ | If you only want to force some specific URL, read up [[:rewrite|URL rewriting]] first. | ||
+ | |||
+ | Redirection to a secured connection which is restricted to a certain set of pages (e.g. login pages) requires their recognition based on the URL. Some pages (e.g. " | ||
+ | |||
+ | FIXME The rest of the paragraph only handles requests with a ''? | ||
+ | See discussion for solution. | ||
The following assumes you already set up HTTPS support for your wiki, making it available via HTTP and HTTPS on the same address. For performance reasons only the login and profile updates should be forced to HTTPS while all " | The following assumes you already set up HTTPS support for your wiki, making it available via HTTP and HTTPS on the same address. For performance reasons only the login and profile updates should be forced to HTTPS while all " | ||
Line 14: | Line 29: | ||
RewriteCond %{HTTPS} !on | RewriteCond %{HTTPS} !on | ||
RewriteCond %{QUERY_STRING} do=(log|profile|admin) | RewriteCond %{QUERY_STRING} do=(log|profile|admin) | ||
- | RewriteRule ^(.*) https:// | + | RewriteRule ^(.*) https:// |
# Change back to non-secure on show action | # Change back to non-secure on show action | ||
RewriteCond %{HTTPS} on | RewriteCond %{HTTPS} on | ||
- | RewriteCond %{QUERY_STRING} | + | RewriteCond %{QUERY_STRING} |
RewriteCond %{REQUEST_METHOD} GET | RewriteCond %{REQUEST_METHOD} GET | ||
RewriteRule ^(.*) http:// | RewriteRule ^(.*) http:// | ||
Line 25: | Line 40: | ||
You may want to change '' | You may want to change '' | ||
- | Note: the above switches back to non-SSL on the show action only. This means switchback might not occur immediately after login, but ensures there will be no "mixed content" | + | Notes: |
+ | * the above switches back to non-SSL on the show action only. This means switchback might not occur immediately after login, but ensures there will be no "mixed content" | ||
+ | |||
+ | * if you have other rewrite rules, such as [[: | ||
+ | |||
+ | * if your DokuWiki' | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ====securecookie==== | ||
+ | **Please note:** You need to disable the " | ||
+ | |||
+ | =====nginx===== | ||
+ | This setup is also possible in nginx but with a minor tweak to your fastcgi_params. | ||
+ | |||
+ | First, you need to have separate server instances, for '' | ||
+ | |||
+ | < | ||
+ | # Tested with nginx 0.8.5 | ||
+ | # In http context of your nginx configuration | ||
+ | map $scheme $php_https { default off; https on; } | ||
+ | |||
+ | server { | ||
+ | server_name wiki.host.org | ||
+ | root / | ||
+ | index doku.php; | ||
+ | listen 80; | ||
+ | #Enforce https for logins, admin | ||
+ | if ($args ~* do=(log|admin|profile)) { | ||
+ | rewrite ^ https:// | ||
+ | } | ||
+ | include dokuwiki.conf; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | server_name wiki.host.org; | ||
+ | root / | ||
+ | index doku.php; | ||
+ | listen 443 ssl; | ||
+ | keepalive_requests | ||
+ | keepalive_timeout | ||
+ | ssl_certificate | ||
+ | ssl_certificate_key | ||
+ | #switch back to plain http for normal view | ||
+ | |||
+ | if ($args ~* (do=show|^$)){ | ||
+ | rewrite ^ http:// | ||
+ | } | ||
+ | include dokuwiki.conf; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | In '' | ||
+ | |||
+ | fastcgi_param HTTPS $php_https; | ||
+ | |||
+ | to your your fastcgi_params. This parameter and the '' | ||
+ | |||
+ | Like with apache, you need to disable [[# | ||
+ | |||
+ | |||
+ | ===== php Based HTTPS ===== | ||
+ | Below is useful if you wish to force https connection ALWAYS (not just for login), and wish not to rely on Apache or NGINX htaccess or other server specific directives. | ||
+ | |||
+ | <code php> | ||
+ | <?php | ||
+ | if ($_SERVER[HTTPS]!=" | ||
+ | // | ||
+ | // The function ' | ||
+ | // So, try to don't use getenv(' | ||
+ | $strURIName= $_SERVER[' | ||
+ | header (" | ||
+ | // If it doesn' | ||
+ | // uncomment below to find out about your particular server variables | ||
+ | /* | ||
+ | echo "< | ||
+ | reset($_SERVER); | ||
+ | while (list ($key, $val) = each ($_SERVER)) { | ||
+ | print $key . " = " . $val . "< | ||
+ | } | ||
+ | */ | ||
+ | } | ||
+ | |||
+ | ?> | ||
+ | </ | ||
+ | |||
+ | Thanks.. That saved my day! | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Discussion ===== | ||
+ | ==== [[: | ||
+ | Isn't [[: | ||
+ | |||
+ | ==== Update for 2014-05-05 " | ||
+ | Are these instructions up to date for 2014-05-05 " | ||
+ | |||
+ | ==== 17 Jul 14 - Access Denied SSL Login fix ==== | ||
+ | I have created the solution to the “access denied” pages that enables rewrite rules to redirect the user to an SSL login page. | ||
+ | This fix was an edit to the source code that redirects the user to the same page with the ‘do=login’ query string this enables the rewrite rules to take effect and redirect to an SSL login page, once the user logs in they will be presented with the page they tried to access. This fix is on my websites [[http:// | ||
+ | |||
+ | ==== 25 Nov 15 - wrong protocol service or infinite loop ==== | ||
+ | |||
+ | I try to CASsify my **Dokuwiki** with **phpCAS**. My CAS server does not allow http services (which I could change but it is not my purpose).\\ | ||
+ | So I did install the plugin authplaincas with success and the phpCAS lib too. Evrything is OK except one thing : '' | ||
+ | https:// | ||
+ | First I was thinking **phpCAS** was the problem then it was **Dokuwiki** and then again **phpCAS** but now I think it is **DokuWiki** which report the wrong protocol service. | ||
+ | I tried different solution like rewrite engine into '' | ||
+ | For more information, | ||
+ | I think the problem is HTTPS protocol information is not transmit to my backend which host my DokuWiki or when I get infinite loop I think my cookie is not preserve. | ||
+ | How can I fix it or debug it ? Help will be very appreciate. | ||
+ | |||
+ | Regards, | ||
+ | Guy CARRÉ\\ | ||
+ | | ||
+ | |||
+ | **EDIT** | ||
+ | I found what it was wrong and I post it here : | ||
+ | https:// | ||
+ | |||
+ | Good night ;-) | ||
+ | |||
+ | ==== 30 Nov 15 - do ==== | ||
+ | Over HTTP, not logged on a inexistent page if you try to view source(do=edit), | ||
+ | I suggest to switch to https on " | ||
+ | Also, I'm not sure that this configuration really **needs** secure cookie disabled, it needs it **enabled** to me. Actually, steal a cookie is as easy as steal a cleartext password. Ok, it doesn' | ||
+ | Switching back to http, you loose session : abilities to edit, config etc, what's wrong with this? Doing such an action puts you back to https, the cookie is send and you retrieve your session. Maybe some other actions need to switch to https then like media things, etc, I don't know.\\ | ||
+ | These are just suggestions, | ||
+ | |||
+ | ==== 16 Feb 2016 - Use TLS all the time ==== | ||
+ | |||
+ | We should amend this tip to recommend using TLS for all connections. | ||
+ | < | ||
+ | |||
+ | One step further would be to strongly recommend that TLS be configured by default. | ||
- | * **Please note:** You need to disable the " |
tips/httpslogin.txt · Last modified: 2018-09-29 11:31 by bruno.genere · Currently locked by: 196.196.254.47