macro/ssl - mod_ssl-helpers for PApp
<import src="macro/ssl"/>
Helper functions for apache/mod_ssl. Some functions support three-state pages, the PApp application should be mounted on three different virtual hosts in Apache. The three states some functions assume are:
http://host:80/foobar - plain http without any encryption (url_prefix_nossl) https://host:443/foobar - anonymous https (no client cert required) (url_prefix_ssl) https://host:444/foobar - require full client authentification (url_prefix_sslauth)
Port 444 is nonstandard, so you can override these in your mountconfig. It's a good idea to override all three values, because the fallback uses $request->hostname, which may give unexpected results. If you only define url_prefix_ssl (say to "https://secure.w3.org"), the following can happen if the plain request goes to http://seppl.org:
normal sections http://seppl.org <:require_ssl:> https://secure.w3.org <:require_ssl_user:> https://secure.w3.org:444
if you switch directly from normal to auth:
normal sections http://seppl.org <:require_ssl_user:> https://seppl.org:444
So PLEASE override all three settings (url_prefix_nossl, url_prefix_ssl and url_prefix_sslauth) to get a consistent behavior...
If you want to kick out nonstandard port 444 you need a IP-virtual Host configuration because the https protocol does not support the Host request-header. You should also use different server-keys for ssl and sslauth or you may get warnings in client browser about mismatch of real-hostname and the hostname in the server certificate.
url_prefix_nossl => http://seppl.org url_prefix_ssl => https://seppl.org (cert for "seppl.org") url_prefix_sslauth => https://auth.seppl.org (cert for "auth.seppl.org")
for example, use: SSLCertificateFile /share/www/conf/ssl.crt/server.crt.seppl.org SSLCertificateKeyFile /share/www/conf/ssl.key/server.key.seppl.org
in the seppl.org https-section and the following for auth.seppl.org
SSLCertificateFile /share/www/conf/ssl.crt/server.crt.auth.seppl.org SSLCertificateKeyFile /share/www/conf/ssl.key/server.auth.key.seppl.org
So the easier setup is to use 444 because you need only one server certificate and you don't need to deal with url_prefix.
This is a convention used by this package, not standard mod_ssl setup.
It is always possible to detect the current SSL state like this:
#if ssl_p <?"under SSL":> # if ssl_user <?" with user auth: " . ssl_user:> # else <?" without user auth":> # endif #else <?"no SSL":> #endif
The defined states are only needed to switch to a higher auth-level by redirection.
To enforce SSL you can use:
<:require_ssl:>
and if you require strict client authentification you can use:
<:require_ssl_user:>
Use the following directives for SSL (strong 128bit encryption) on Port 443 (standard SSL without user auth).
SSLVerifyDepth 1
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /usr/www/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/www/conf/ssl.key/server.key
SSLCARevocationPath /usr/www/conf/ssl.crl
SSLOptions +StdEnvVars
<Perl>
search_path PApp "/usr/www/lib/papp";
search_path PApp "/usr/www/lib/papp/macro";
mount_appset PApp default;
</Perl>
Use the exact same configuration on port 444 and in addition - enable user authentification by adding:
SSLVerifyClient require
Returns true if the current request is a https request.
Returns the user name of the client certificate or undef if there is no SSL-session at all or if the SSL-session is anonymous (without a client certificate)
Redirects the current request to a secure non-user authentificated SSL connection if insecure http protocol is used.
Like ssl_needed but requires user authentification.
Redirects the current request to http if https is used. This can be used to drop SSL security.
This module was kindly contributed by Stefan Traby <stefan@hello-penguin.com>.
