On 6/28/07, Daniel W <d@xxxxxxxxxxxxx> wrote: > Paul Lesniewski wrote: > > On 6/28/07, Daniel Watts <d@xxxxxxxxxxxxx> wrote: > >> Dear List, > >> > >> Has anyone got a setup where you have a Pound front end reverse-proxy > >> listening for HTTPS traffic, and redirecting via HTTP to a batch of > >> backend web servers that squirrelmail is installed on? > >> > >> I have this working nicely except that the links and redirects are all > >> then written as "http" rather than "https". Is there any sane way I can > >> get the system so that security is maintained? > > > > If SM has no information about SSL a connection, you simply cannot > > expect it to do anything but what it is doing. > > > >> I'm thinking this might be to do with the "get_location" function in > >> squirrelmail - will I need to modify this somehow? > > > > Most people do that. > > Really? How do they rework it? Most people (I hope) use $config_location_base You might be able to use it too if there is some header you can look at. In the config.php file, you could try something like: $config_location_base = (!empty($_SERVER['WHATEVER']) && $_SERVER['WHATEVER'] == 'HTTPS' ? 'https://example.org/webmail' : ''); > >> The trouble is user's can connect either via HTTP or HTTPS and I don't > >> want just a blanket change of all links to HTTPS. > > > > Why not? Minimal overhead, better email security. > > Ah I suppose the get_location could be done to always response with the > HTTPS protocol. > > > > >> Perhaps I need to get Pound to insert an X-SSL-Request header which can > >> tell get_location whether to prepend http:// or https:// > > > > Might be a good solution. > > > >> But this all sounds quite ugly and I'd rather not change squirrelmail code. > > > > The only other option would be to install the mind_reader plugin that > > knows that despite the fact that page requests come in HTTP, you > > really wanted links in HTTPS, but only in some cases. No sweat. :-) > > Lol very funny =) > > I thought there might be some other configuration in terms of how my > proxies / apache's work etc. It can't be that rare a task that someone > hasn't come up with a way to make this work nicely. Dunno > I noticed that things would be a lot nicer if the header("Location..")'s > where all relative. That way whatever the connection was, the browser > would maintain the type and just change the URI. > > I read somewhere that header redirects should always be absolute but > relative ones do seem to always work. Don't suppose squirrelmail would > consider going all relative? ;o) It's a HTTP requirement, so SM is unlikely to change at all in that regard. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
