[opencms-dev] Force HTTPS for workplace access

Wed Apr 16 11:27:54 CEST 2014

Hi all,

After setting up HTTPS, the entire online site is now available via both HTTP and HTTPS.

This is not ideal, for at least a couple of reasons:
1. We use a self-signed certificate.
2. It will cause a serious duplicate content situation.

So, what I actually want is force HTTP for the online site (there is no real need for HTTPS), while allowing HTTPS for logged-in traffic.

Note: If you are at ease with your certificate and *want* to offer both HTTP and HTTPS at the same time, there are several good approaches to handle the duplicate content problem: http://moz.com/community/q/duplicate-content-and-http-and-https

My current solution is to permanently redirect from HTTPS to HTTP if the user is not logged in. I do this in my site-wide template:
if (!loggedInUser && secureRequest) {
                redirectPermanently(nonSecureUrl);
}

This way, the login form is always HTTPS (and consequently also the workplace traffic). At the same time, regular visitors are served via HTTP – even if they attempt to use HTTPS.

The downside is that I won’t be able to serve any pages via HTTPS, unless I also add exception(s) in the redirect routine.

My question:
Am I doing this like I should, or is there a better way? (Duplicate content and certificate issues aside.)

Cheers,
Paul

From: opencms-dev-bounces at opencms.org [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Paul-Inge Flakstad
Sent: 11. april 2014 15:20
To: The OpenCms mailing list
Subject: Re: [opencms-dev] Force HTTPS for workplace access

LOL I have been sitting here too long %-) Should’ve seen that myself, as I’ve been creating redirects like crazy these last weeks ...

This works like a charm – of course. Thanks for the lightning fast reply, Arash :)

BTW, I slightly modified the rule:
RewriteRule ^/system/login/(.*)$ https://www2014.npolar.no/system/login/$1 [R=301,L]

Cheers,
Paul

From: opencms-dev-bounces at opencms.org<mailto:opencms-dev-bounces at opencms.org> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash Kaffamanesh
Sent: 11. april 2014 15:04
To: The OpenCms mailing list
Subject: Re: [opencms-dev] Force HTTPS for workplace access

Hi,
you shall use an apache rewrite rule in your vhost to bump the user to the login page:

RewriteRule ^/system/login.* https://<workplaceserver>/system/login/<https://%3cworkplaceserver%3e/system/login/> [L,R]

See also page 36 here:

http://ow.ly/uFzGk

Kind Regards,
Arash

On Fri, Apr 11, 2014 at 2:53 PM, Paul-Inge Flakstad <flakstad at npolar.no<mailto:flakstad at npolar.no>> wrote:
Hi,

I’d like to force HTTPS for workplace login / communication. Is there an easy way?

According to the wiki (http://www.opencms-wiki.org/wiki/Enforcing_SSL_Encryption_for_the_Opencms_workplace ), “somebody [who] tries to access the workplace using an unsafe connection, [...] will be automatically redirected to the secured connection”.

Well, not so in my case – I can access the workplace login using *both* HTTP and HTTPS, no HTTP -> HTTPS redirect.

OpenCms is 7.5.2. I’ve got Apache in front.

Cheers,
Paul

_______________________________________________
This mail is sent to you from the opencms-dev mailing list
To change your list options, or to unsubscribe from the list, please visit
http://lists.opencms.org/cgi-bin/mailman/listinfo/opencms-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20140416/a93e7d2c/attachment.htm>