[Mailman-Users] Web Admin Security Question
Dennis Putnam
dap1 at bellsouth.net
Wed May 23 17:35:56 CEST 2012
Hi Chris,
Thanks for the reply. Yes, my SSL config is all working. Everything is
fine if I manually use https. The problem is, using http is supposed to
force https. I have not tried redirectmatch since I guess I didn't know
about it until now. I'm not an Apache config expert so I'll have to
investigate that.
On 5/23/2012 10:48 AM, C Nulk wrote:
> Hello Dennis,
>
> If you are using the CentOS 5 and installed Apache as part of the
> install, you should have a file called 'ssl.conf' in the
> '/etc/httpd/conf.d/' directory. Have you set up that file correctly?
> When I set up my system, I needed to make a few changes to that file.
> In my file, I have a virtual host ("_default_") and within the virtual
> host configuration there is a switch to turn on the SSL Engine called
> "SSLEngine" values are on or off. Make sure it is on. Also, make sure
> your certificates are correct in the file. For your ssl logs, the file
> may be pointing your logs to a different location other than
> /var/log/httpd, but I doubt it. Check to be sure.
>
> As for redirecting from http to https, here are my rules (in a file
> called mailman.conf in /etc/httpd/conf.d along with other mailman rules):
>
> RedirectMatch ^/mailman[/]*$ https://%{HTTP_HOST}/mailman/listinfo
> RedirectMatch ^[/]*$
> https://%{HTTP_HOST}/mailman/listinfo
>
> although instead of %{HTTP_HOST} I have the actual hostname.
>
> I also don't bother with the rewrite rules, like turning the rewrite
> engine on etc.. I do load the rewrite_module ('modules/mod_rewrite.so)
> but so far, I have needed to use it. The Redirect set of commands use
> the mod_alias module. It seems to work for me.
>
> Good Luck,
> Chris
>
> On 5/23/2012 5:37 AM, Dennis Putnam wrote:
>> Thanks and you are, of course, correct. I knew that but I was desperate
>> to try to get something, anything, working. I did fix it but since the
>> more generic version did not work, it is not a surprise that the more
>> specific rule does not work either.
>>
>> Yes I did check all the logs I could thing of but nothing that indicates
>> it even ran a rewrite rule. I don't see anything in the ssl_access or
>> error logs either so that tells me ssl is never being used. Does that
>> not imply that the rewrite engine is not working?
>>
>> When I use http://... it brings up the correct page. As I said
>> originally, everything works if I use http or if I manually use https.
>> It is forcing https that doesn't. Once again it seems to be pointing to
>> the rewrite engine not working.
>>
>> On 5/22/2012 2:25 PM, Mark Sapiro wrote:
>>> Dennis Putnam wrote:
>>>> I assume you mean the entire mailman site as opposed to the entire web
>>>> site.
>>> No. I meant the entire web site. Just because you put something in
>>> /etc/httpd/conf.d/mailman.conf doesn't make it magically just apply to
>>> Mailman. It depends on where in httpd.conf that file is included.
>>>
>>> In a normal Centos distro, the
>>>
>>> Include conf.d/*.conf
>>>
>>> directive is in the Global Environment section of httpd.conf and thus
>>> anything in any of the included files affects or at least sets a
>>> default for the entire site.
>>>
>>> If you want to force https only for Mailman CGIs, your rewrite rule
>>> should be something like
>>>
>>> RewriteRule ^/mailman(/.*) https://%{HTTP_HOST}/mailman$1 [L,R]
>>>
>>> If you want to include forced https for public archive access (why
>>> would you?), maybe something like
>>>
>>> RewriteRule ^/pipermail(/.*) https://%{HTTP_HOST}/pipermail$1 [R]
>>> RewriteRule ^/mailman(/.*) https://%{HTTP_HOST}/mailman$1 [L,R]
>>>
>>> or
>>>
>>> RewriteRule ^/(mailman|pipermail)(/.*) https://%{HTTP_HOST}/$1$2 [L,R]
>>>
>>> would be appropriate.
>>>
>>>
>>>> Yes, that is what I want. Yes, it SHOULD work but doesn't. The
>>>> main problem is that there are no errors anywhere I can find and I have
>>>> no idea how to debug this.
>>> Have you looked in all the httpd logs (/var/log/httpd/*log)?
>>>
>>> What actually happens when you go to
>>> <http://www.example.com/mailman/admin/>?
>>>
>>
>>
>> ------------------------------------------------------
>> Mailman-Users mailing list Mailman-Users at python.org
>> http://mail.python.org/mailman/listinfo/mailman-users
>> Mailman FAQ: http://wiki.list.org/x/AgA3
>> Security Policy: http://wiki.list.org/x/QIA9
>> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
>> Unsubscribe: http://mail.python.org/mailman/options/mailman-users/cnulk%40scu.edu
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-users/dap1%40bellsouth.net
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20120523/8fb78ae0/attachment-0001.pgp>
More information about the Mailman-Users
mailing list