Forum OpenACS Q&A: Secure Vs. Insecure locations

Posted by Richard Hamilton on 10/30/02 11:34 AM

Hi,

Sorry if this is a stupid question but I have searched all the docs and the fora for a thread to help but have not found.

In the ecommerce module there is a wonderful parameter that solves the problem of redirecting to an arbitary secure location for an https connection to AOLServer on any port. It is called 'SecureLocation' and is described as :

A URL fragment (protocol, hostname, and port) appended before transactions URLs. Defaults to "". If the value is "" ecommerce will examine the values of httpModule and httpsModule to determine the secure location.

There is also the equivalent for 'InsecureLocation'

Please can someone tell me where/how to set the equivalent of this parameter for the whole of an ACS4.5/4.6 system so that anyone clicking on 'Site Wide Admin' from the main page can be directed to https://www.server.com:8443/acs-admin instead of simply http://www.server.com/acs-admin (which of course won't work if acs- admin is restricted to https).

Many Thanks

Regards

Richard

2: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 02:47 PM

Just to clarify. I know that it will be possible to modify the links themselves on pages to point to the https connection (and probably better to force https login anyway to cause both insecure and secure tokens to be issued), but what I was hoping to find was a parameter like the one in the ecommerce module that works for the rest of the site and re-directs all requests for 'https only' nodes to the specified URL stub for the secure server.

Can anyone point me in the right direction?

Many Thanks

Richard

3: Response to Secure Vs. Insecure locations (response to 1)

Posted by C. R. Oldham on 10/30/02 04:51 PM

The Main Site parameter RestrictToSSL doesn't take care of this for you?

4: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 08:03 PM

No, I don't think so.

Unless I am missing something I think that the RestrictToSSL parameter tells the ACS that I want for example '/acs-admin' to only be accessible through https. However it does not take care of telling the request processor where to redirect the browser to for the secure connection (ie https://www.server.com:8443/acs-admin).

Thus setting this parameter will prevent anyone connecting to '/acs-admin' using http but will not automatically switch to https and add the port number for the secure location.

Regards Richard

5: Response to Secure Vs. Insecure locations (response to 1)

Posted by C. R. Oldham on 10/30/02 08:10 PM

Oh OK, I think I understand now. Richard, I replied to you in email a few minutes ago, but for the record, the request processor gets this information from the parameters for the ssl module (whichever one you use). So if you configured (via the regular AOLserver configuration file) an ssl listener on port 8443 and it is working OK then the RP picks that information up from AOLserver and does the appropriate redirect. I might still be misunderstanding what you need, though. Is /acs-admin not properly redirected on your installation? It is on mine, and I didn't have to do anything else other than make sure my ssl listener (nsopenssl in this case) was working correctly.

6: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 08:18 PM

Thank you. Yes I have just replied to you by e-mail so from here on in I will stick to the forum!

On my system the redirection is not happening correctly. So thank you, you have pointed me in the right direction. Clearly there is something not quite right with my nsopenssl config. I cannot think what though off the top of my head because there are no errors in the log and a direct request for 'https://www.server.com:8443/acs-admin' works perfectly.

Any ideas? Regards Richard

7: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 08:23 PM

I have just tried connecting explicitly to 'http://www.server.com:8000' and then clicking on Site Wide Admin. What I get is a pop up window saying that I am about to enter a secure connection (to which I click yes) and then the browser's request line changes to 'http://www.server.com:8000/acs-admin' and the page doesn't load.

If I type 'https://www.server.com:8443/acs-admin', I get the admin pages without any problem.

Regards

Richard

8: Response to Secure Vs. Insecure locations (response to 1)

Posted by C. R. Oldham on 10/30/02 08:28 PM

Which browser are you running? And how recent is your OpenACS installation? I patched a problem similar to this and the patch made it into the distribution for 4.6, but it was not in 4.5. I'd also be willing to bet that when you said "browser's request line changes to 'http://www.server.com:8000/acs-admin'" it actually changed to httpS://www.server.com:8000/acs-admin--that was what my patch fixed. It works around a bug in IE where IE will not redirect properly to https on a non-standard port.

I can send you the patch file itself if you can't update to 4.6 from CVS.

9: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 08:37 PM

No unfortunately I have been very careful to check that. here is the line copied and pasted from the IE 6.0 address line after the failed redirect:

http://www.ecommerce.com:8000/acs-admin/

If I try using Mozilla I get a dialog box saying that the connection has been refused. A direct https request on port 8443 however works perfectly.

Regards

Richard

10: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 08:45 PM

#
# AOLserver/OpenNSD Configuration File
#
# richard_s.hamilton@virgin.net
#
#########################
#########################
# General Configuration #
#########################
#########################

set server              "server"
set servername          "openacs"

ns_log notice "${server}.tcl:  Starting to read config file..."

set httpport            8000
set httpsport           8443

set hostname            www.${server}.com
set address             192.168.100.2

set homedir             [file dirname [ns_info config]]
set bindir              [file dirname [ns_info nsd]]

set pageroot            /web/${server}/www
set directoryfile       index.tcl,index.adp,index.html,index.htm

set ext [info sharedlibextension]

set sslkeyfile ${homedir}/servers/${server}/modules/nsopenssl/key.pem
set sslcertfile ${homedir}/servers/${server}/modules/nsopenssl/cert.pem
set sslcacertfile ${homedir}/servers/${server}/modules/nsopenssl/ca/cacert.pem

#set nscp_port 9999
#set nscp_addr 127.0.0.1
#set nscp_user ""
#set nscp_user "nsadmin:t2GqvvaiIUbF2:" ;# sample user="nsadmin", pw="x".


############################
# Global server parameters #
############################

ns_section "ns/parameters"
        ns_param   home         $homedir
        ns_param   debug        false
#       ns_param   MailHost     localhost
        ns_param   ServerLog    ${homedir}/log/${server}.log
#       ns_param   LogRoll      on


########################################
# Thread library (nsthread) parameters #
########################################

ns_section "ns/threads"
        ns_param   mutexmeter      true      ;# measure lock contention
        ns_param   stacksize [expr 256*1024] ;# Per-thread stack size for hungry C modules


##############
# MIME types #
##############

ns_section "ns/mimetypes"
        ns_param   default         "*/*"     ;# MIME type for unknown extension
        ns_param   noextension     "*/*"     ;# MIME type for missing extension
#        ns_param   ".xls"         "application/vnd.ms-excel''


##############################
##############################
# Server-level configuration #
##############################
##############################

ns_section "ns/servers"
        ns_param   $server     $servername


#####################
# Server parameters #
#####################

ns_section "ns/server/${server}"
        ns_param   directoryfile        $directoryfile
        ns_param   pageroot             $pageroot
        ns_param   maxconnections       50
        ns_param   maxdropped           0
        ns_param   maxthreads           50
        ns_param   minthreads           5
        ns_param   threadtimeout        120
        ns_param   globalstats          false     ;# Enable built-in statistics
        ns_param   urlstats             false     ;# Enable URL statistics
        ns_param   maxurlstats          1000      ;# Max number of URL's to do stats on

        ns_param   NotFoundResponse               ${pageroot}/global/www/file-not-found.html
        ns_param   ServerBusyResponse             ${pageroot}/global/www/busy.html
        ns_param   ServerInternalErrorResponse    ${pageroot}/global/www/error.html
        ns_param   ForbiddenResponse              ${pageroot}/global/www/forbidden.html
        ns_param   UnauthorizedResponse           ${pageroot}/global/www/unauthorized.html


#####################
# Tcl Configuration #
#####################

ns_section "ns/server/${server}/tcl"
        ns_param autoclose      "on"
        ns_param debug          "false"
        #ns_param library        "/usr/local/aolserver/modules/tcl"
        ns_param library        "/web/${server}/tcl"


######################
# Directory listings #
######################

# use an ADP or a Tcl proc to generate them.

        #ns_param   directoryadp    $pageroot/dirlist.adp ;# Choose one or the other
        #ns_param   directoryproc    _ns_dirlist           ;#  ...but not both!
        ns_param   directorylisting  fancy                ;# Can be simple or fancy


##############################################
# ADP (AOLserver Dynamic Page) configuration #
##############################################

ns_section "ns/server/${server}/adp"
        ns_param   map           "/*.adp"  ;# Extensions to parse as ADP's
        #ns_param   map          "/*.html" ;# Any extension can be mapped
        ns_param   enableexpire  false     ;# Set "Expires: now" on all ADP's
        ns_param   enabledebug   false     ;# Allow Tclpro debugging with "?debug"
        ns_param   defaultparser fancy


# ADP special pages
        #ns_param   errorpage      ${pageroot}/errorpage.adp ;# Pretty-print ADP scripting errors


###################################
# ADP custom parsers -- see adp.c #
###################################

ns_section "ns/server/${server}/adp/parsers"
        ns_param   fancy            ".adp"


###################
# Modules to load #
###################

# Note that nsssl loads only if requisite files already exist (see top of this file).

ns_section "ns/server/${server}/modules"
        ns_param   nssock          ${bindir}/nssock${ext}
        ns_param   nslog           ${bindir}/nslog${ext}
        ns_param   nssha1          ${bindir}/nssha1${ext}
        ns_param   nscache         ${bindir}/nscache${ext}
        ns_param   nsrewrite       ${bindir}/nsrewrite${ext}
        ns_param   nsxml           ${bindir}/nsxml${ext}
        ns_param   nsvhr           ${bindir}/nsunix${ext}
        ns_param   nsfts           ${bindir}/nsfts${ext}

if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
        ns_param   nsssl           ${bindir}/nsopenssl${ext}
} else {
    ns_log warning "${server}.tcl: nsssl not loaded because key/cert files do not exist."
}

#        ns_param   nsperm          ${bindir}/nsperm.so
#        ns_param   nscgi           ${bindir}/nscgi.so
#        ns_param   nsjava          ${bindir}/libnsjava.so


##########################################
# Socket driver module (HTTP)  -- nssock #
##########################################

ns_section "ns/server/${server}/module/nssock"
        ns_param   timeout      120
        ns_param   port         $httpport
        ns_param   hostname     $hostname
        ns_param   address      $address


##########################################
# Socket driver module (HTTP)  -- nsvhr #
##########################################

# This section added by RH on 27/11/01. Virtual Hosting Redirector configuration.
ns_section "ns/server/${server}/module/nsvhr"
        ns_param    hostname          "www.${server}.com"
        ns_param    socketfile        "${server}.nsunix"
# End of section added by RH on 27/11/01.


##########################################
# Socket driver module (HTTPS) -- nsssl: #
##########################################

# Section added by Richard Hamilton on 24/10/02. Configuration for nsopenssl v2.1.
# Sourced from http://www.scottg.net/webtools/aolserver/modules/nsopenssl/configuration
# nsssl does not load unless sslkeyfile/sslcertfile exist (above).

ns_section "ns/server/${server}/module/nsssl"

# General settings
         ns_param ServerPort                      $httpsport
         ns_param ServerHostname                  $hostname
         ns_param ServerAddress                   $address

# NSD-driven connections:
         ns_param ServerCertFile                  $sslcertfile
         ns_param ServerKeyFile                   $sslkeyfile
         ns_param ServerProtocols                 "SSLv2, SSLv3, TLSv1"
         ns_param ServerCipherSuite               "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
         ns_param ServerSessionCache              false
         ns_param ServerSessionCacheID            1
         ns_param ServerSessionCacheSize          512
         ns_param ServerSessionCacheTimeout       300
         ns_param ServerPeerVerify                true
         ns_param ServerPeerVerifyDepth           3
         ns_param ServerCADir                     ca
         ns_param ServerCAFile                    $sslcacertfile
         ns_param ServerTrace                     false

# For listening and accepting SSL connections via Tcl/C API:
         ns_param SockServerCertFile              $sslcertfile
         ns_param SockServerKeyFile               $sslkeyfile
         ns_param SockServerProtocols             "SSLv2, SSLv3, TLSv1"
         ns_param SockServerCipherSuite           "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
         ns_param SockServerSessionCache          false
         ns_param SockServerSessionCacheID        2
         ns_param SockServerSessionCacheSize      512
         ns_param SockServerSessionCacheTimeout   300
         ns_param SockServerPeerVerify            true
         ns_param SockServerPeerVerifyDepth       3
         ns_param SockServerCADir                 ca
         ns_param SockServerCAFile                $sslcacertfile
         ns_param SockServerTrace                 false

# Outgoing SSL connections
         #ns_param SockClientCertFile              $sslcertfile
         #ns_param SockClientKeyFile               $sslkeyfile
         #ns_param SockClientProtocols             "SSLv2, SSLv3, TLSv1"
         #ns_param SockClientCipherSuite           "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
         #ns_param SockClientSessionCache          false
         #ns_param SockClientSessionCacheID        3
         #ns_param SockClientSessionCacheSize      512
         #ns_param SockClientSessionCacheTimeout   300
         #ns_param SockClientPeerVerify            true
         #ns_param SockServerPeerVerifyDepth       3
         #ns_param SockClientCADir                 ca
         #ns_param SockClientCAFile                ca.pem
         #ns_param SockClientTrace                 false

# Typically where you store your certificates
# Defaults to $AOLSERVER/servers/${servername}/modules/nsopenssl
         ns_param ModuleDir                       ${homedir}/servers/${server}/modules/nsopenssl

# OpenSSL library support:
         ns_param RandomFile                      /bin/sfxload
         ns_param SeedBytes                       1024

# End of section


####################
# Database drivers #
####################

ns_section "ns/db/drivers"
    ns_param   postgres     ${bindir}/postgres${ext}  ;# Load PostgreSQL driver

ns_section "ns/db/driver/postgres"
    ns_param   pgbin        /usr/local/pgsql/bin

ns_section "ns/db/pools"
    ns_param   main       "OpenACS Main Pool"
    ns_param   log        "OpenACS Log Pool"
    ns_param   subquery   "OpenACS Subquery Pool"

ns_section "ns/db/pool/main"
    ns_param Driver postgres
    ns_param Connections 5                  ;# 5 is a good number. Increase according to your needs
    ns_param DataSource localhost::${server} ;# Replace 'yourdb' with the name of your database in PG
    ns_param User nsadmin                   ;# User and password AOLserver will use to connect
    ns_param Password "castledb430"
    ns_param Verbose Off                    ;# Set it to On to see all queries. Good for debugging SQL.
    ns_param LogSQLErrors On
    ns_param ExtendedTableInfo On
#    ns_param MaxOpen 1000000000            ;# Max time to keep idle db connection open
#    ns_param MaxIdle 1000000000            ;# Max time to keep active db connection open

ns_section "ns/db/pool/log"
    ns_param Driver postgres
    ns_param Connections 5
    ns_param DataSource localhost::${server}
    ns_param User nsadmin
    ns_param Password "castledb430"
    ns_param Verbose On
    ns_param LogSQLErrors On
    ns_param ExtendedTableInfo On
#    ns_param MaxOpen 1000000000
#    ns_param MaxIdle 1000000000

ns_section "ns/db/pool/subquery"
    ns_param Driver postgres
    ns_param Connections 2
    ns_param DataSource localhost::${server}
    ns_param User nsadmin
    ns_param Password "castledb430"
    ns_param Verbose On
    ns_param LogSQLErrors On
    ns_param ExtendedTableInfo On
#    ns_param MaxOpen 1000000000
#    ns_param MaxIdle 1000000000

ns_section "ns/server/${server}/db"
        ns_param Pools          "*"
        ns_param DefaultPool    "main"


#######################
# Access log -- nslog #
#######################

ns_section "ns/server/${server}/module/nslog"
        ns_param   rolllog         true      ;# Should we roll log?
        ns_param   rollonsignal    true      ;# Roll log on SIGHUP
        ns_param   rollhour        0         ;# Time to roll log
        ns_param   maxbackup       5         ;# Max number to keep around when rolling

#
# CGI interface -- nscgi, if you have legacy stuff. Tcl or ADP files inside
# AOLserver are vastly superior to CGIs. You don't actually need the Interps
# if your script calls the appropriate interpreter itself.
#
#ns_section "ns/server/${server}/module/nscgi"
#       ns_param   map "GET  /cgi-bin /web/$server/cgi-bin"
#       ns_param   map "POST /cgi-bin /web/$server/cgi-bin"
#       ns_param   Interps CGIinterps

#ns_section "ns/interps/CGIinterps"
#       ns_param .pl "/usr/bin/perl"


########################
# Control port -- nscp #
########################

# nscp does not load unless nscp_user is a valid user.
# nscp: Uncomment the sample password and log in with "nsadmin", password "x",
#       type "ns_crypt newpassword salt" and put the encrypted string below.

#ns_section "ns/server/${server}/module/nscp"
#        ns_param   port            $nscp_port
#        ns_param   address         $nscp_addr

#ns_section "ns/server/${server}/module/nscp/users"
#        ns_param   user            $nscp_user

#if { $nscp_user != "" } {
#    ns_param nscp ${bindir}/nscp${ext}
#} else {
#    ns_log warning "${server}.tcl: nscp not loaded because user/password is not set."
#}


##############################
# Source OpenACS Config File #
##############################

# Standard location is: /web/${server}/parameters/ad_${server}.tcl

# source /web/${server}/parameters/ad_${server}.tcl     ;# But not for Open_ACS 4.5

ns_log notice "${server}.tcl: finished reading config file."

11: Response to Secure Vs. Insecure locations (response to 1)

Posted by C. R. Oldham on 10/30/02 08:56 PM

Does "www.server.com" resolve to the right address in your environment? So going to "http://www.server.com:8000" and "https://www.server.com:8443" both work for you?

12: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 08:59 PM

Yes, they both work fine and when connecting with the https protocol the certificate acceptance boxes appear just fine as well. Regards Richard

13: Response to Secure Vs. Insecure locations (response to 1)

Posted by David Walker on 10/30/02 09:00 PM

I wouldn't be overly trusting of what IE has in the address line. Try

   
  
telnet www.ecommerce.com 8000   
 
GET /acs-admin/ HTTP/1.1   
Host: www.ecommerce.com:8000

and see what headers you get back from the server.

14: Response to Secure Vs. Insecure locations (response to 1)

Posted by Bart Teeuwisse on 10/30/02 09:38 PM

Richard,

the problem is in your config file. You should load nsopenssl as nsopenssl instead of nsssl. Replace all occurences of nsssl with nsopenssl.

The security procs in admin-procs.tcl check the nsopenssl module parameters when nsopenssl has been loaded. Since you have named this module nsssl the security procs can't find the nsopenssl configuration and redirect you to the wrong port.

/Bart

15: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 09:54 PM

Tried telnet from the Win2K box - received a 400 Bad Request with a follow up HTML page saying Invalid request - the request presented by your browser is invalid.

Tried on a Linux box within emacs, but got a connection closed after each telnet attempt so could not type the GET.

Tried from the Linux command line. Got the following text - sorry it took so long - had to type it out by hand and had problems trying to work out how to stop the HTML being rendered!!

[richard@Richard02 richard]$ su -
Password:
[root@Richard02 root]# telnet 192.168.100.2 8000
Trying 192.168.100.2...
Connected to Richard02 (192.168.100.2).
Escape character is '^]'.
GET /acs-admin/ HTTP1.1

HTTP/1.0 302 Found
Set Cookie: ad_session_id=60001%2c0%20%7b928%201036018738%20257EAD4B2AD05D4D9BA6
C534DDCE9352953F65AF%7d; Path=/; Max-Age=1200
Location: http://www.ecommerce.com:8000/register/?return_url=%2facs%2admin%2f
Content-Type: text/html; charset=iso-8859-1
MIME-Version: 1.0
Date: Wed, 30 Oct 2002 22:38:58 GMT
Server: AOLserver/3.3.1+ad13
Content-Length: 356
Connection: close

>!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"< >HTML> >HEAD> >TITLE>Redirection >/HEAD> >BODY> >h2>Redirection >A HREF="http://www.ecommerce.com:8000/register/?return_url=%2facs%2dadmin%2f">The requested URL has moved here. >P ALIGN=RIGHT>AOLserver/3.3.1+ad13 on http://www.ecommerce.com:8000

>/BODY> Connection closed by foreign host.

Regards

Richard

16: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 09:55 PM

Brilliant, thanks Bart. I thought that the name that I chose would be irrelevant. Will test.

17: Response to Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 10/30/02 10:17 PM

Thank you to everyone for your help.

Bart, that fixed it. As long as I do what 'cro' suggests and ensure that the login happens under https, any subsequent https request redirects correctly.

Fantastic.

18: Re: Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 12/12/02 05:23 PM

Just a follow up to this thread. I think that OpenACS 4.6 is behaving slightly differently.

If I login under http as Site Wide Administrator and then select the 'Site Wide Admin' link on the default Main Site page the redirect to https:// is screwy :

https://www.server4.com:8446/acs-admin/www.server4.com/register/index?return_url=%2facs%2dadmin%2f%3f

Seems to be adding the Url stub inappropriately. If I log in under https the redirect is fine (I remember reading that this is a token issuing anomaly). Can anyone confirm that restricting the login page to https is the only answer.
Thank you

Richard

19: Re: Secure Vs. Insecure locations (response to 18)

Posted by Richard Hamilton on 12/12/02 06:14 PM

Another little anomaly with https:
With 'register/*' restricted to httpS.
If a user has logged in under httpS but then visits a static page under http and selects 'Your Workspace' from the context menu and then selects 'Log Out', the redirect URL for the registration page comes up as :

https://www.server4.com:8446/register/www.server4.com/

Where is this extra www.server4.com coming from and can I prevent it?
Thanks

Richard

20: Re: Secure Vs. Insecure locations (response to 1)

Posted by Richard Hamilton on 12/12/02 06:23 PM

Clarification - step missed out:

If a user has logged in under https but then visits a static page under http and selects 'Add comment', then chooses 'Your Workspace' from the context menu of the general comments page and then selects 'Log Out', the redirect URL for the registration page comes up as :
As previous.

Regards

Richard