[Mailman-Users] help Securing Mailman's web GUI by using Secure HTTP/SSL

[Richard Barrett]

On 26 Jun 2006, at 21:00, daniel trejo wrote:

> I added these lines to apache to force https login,I also modified the
> mm_config.py to change the dafault url and ran the withlist script,  
> but when
> i put the url on my browser appears a message saying that the  
> redirection
> has no end or something like that.
>

Further thought.

The browser is telling you that when it requested the URL https:// 
name of my server/mailman/ it was redirected to the URL https://name  
of my server/mailman/, which redirected it to the URL https://name of  
my server/mailman/, which redirected it to the URL https://name of my  
server/mailman/ ...

Browser are programmed to get bored with this infinite loop and quit  
after 10 or so consecutive redirects back to the same URL.

As to what to do, see my previous response. Much depends on what  
version of Apache ypu are using and the rest of its confiugration.

With Apache2 consider using mod_rewrite and the RewriteRule and  
RewriteCond directives rather than using the Redirect directive. That  
way you can make the redirection conditional on the request's scheme  
so that redirection only occurs when an HTTP request is made while  
the request is actually serviced if an HTTPS request is made.

Personally I would use separate HTTP and HTTPS VirtualHost's to make  
the problem disappear.

> ScriptAlias /mailman/ "/usr/local/mailman/cgi-bin/"
> Alias /pipermail/ "/usr/local/mailman/archives/public/"
> <Directory "/usr/local/mailman/cgi-bin">
>  AllowOverride None
>  Options +ExecCGI -Includes
>  Order allow,deny
>  Allow from all
>  SSLCipherSuite HIGH:MEDIUM
> </Directory>
>
> <Directory "/usr/local/mailman/archives/public">
>  AllowOverride None
>  Order allow,deny
>  Allow from all
>  Options FollowSymLinks
>
> </Directory>
>
>
> Redirect /mailman/ https://name of my server/mailman/
> ------------------------------------------------------