Roundcube Community Forum

 

Using SSL to log in

Started by Adam, April 24, 2007, 02:37:02 AM

Previous topic - Next topic

Adam

Morning guys and gals,

I have searched but can't quite find an answer to my question, apologies if it has been asked before.

I know I can secure Roundcube using my ssl but what I would like to do is only secure the log in page. So if someone goes to http://mail.domain.net or https://mail.domain.net when they click on submit the log on details are sent securely. Once inside roundcube it goes back to http://.

If it has been answered and someone knows where can you point me to the right thread?

Thanks

Adam  :D

Ichiban

Agreed. This would be a great feature. Right now I just have eveyone use SSL for the entire session, but that's kind of overkill. SSL just for the authentication would be ideal. I looked at how to change the source to do this myself, but I'm only just learning PHP now. If no-one else gets to it, I'll be happy to tackle it once my skills are up to snuff.

cluge

QuoteI know I can secure Roundcube using my ssl but what I would like to do is only secure the log in page. So if someone goes to http://mail.domain.net or https://mail.domain.net when they click on submit the log on details are sent securely. Once inside roundcube it goes back to http://.

This can be done in apache with modrewrite. The HTTP login page will be redirected to the HTTPS login page, and once logged in you can return to HTTP by the same methodology.

See http://opensource.apress.com/article/61/9-useful-modrewrite-recipes

cluge
Respectfully,
cluge

Adam

Quote from: cluge
QuoteI know I can secure Roundcube using my ssl but what I would like to do is only secure the log in page. So if someone goes to http://mail.domain.net or https://mail.domain.net when they click on submit the log on details are sent securely. Once inside roundcube it goes back to http://.

This can be done in apache with modrewrite. The HTTP login page will be redirected to the HTTPS login page, and once logged in you can return to HTTP by the same methodology.

See http://opensource.apress.com/article/61/9-useful-modrewrite-recipes

cluge

Any idea how.. I must confess to not being the best with modrewrite and the examples at the above link don't really help me :-\

Adam

I've been talking to a colleague about this and he doesn't seem to think that we can use. htaccess as Roundcube uses AJAX and doesn't do a full postback. Just some javascript calls in the background. So for now I'm going to keep the whole thing SSL'd but would be interested if anyone figures it out.

There must be a way.... lol

Ad

Adam

We have worked it out...

pop this in your htaccess file..

RewriteEngine On

RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^(.*) https://mail.domain.tld/$1 [R=301,L]

RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://mail.domain.tld/$1 [R=301,QSA,L]

I should add that this should be added to what is alread in the htaccess file in your roundcube installation folder.
Ad

hayalci

Hi, thanks for the info, it was very helpful. There was a little problem though. When the user clicks on "logout" the login page that appears was unencrypted, and the password was transmitted in cleartext [ tested with tcpdump ] The following fixes the problem.

RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^(.*) https://xxxxxx.com/roundcube/$1 [R=301,L]

RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} ^(.*action=logout)$
RewriteRule ^(.*) [url]https://xxxxxx.com/roundcube/?%1[/url] [R=301,L]

RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} !^(.*action=logout)$
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://xxxxxx.com/roundcube/$1 [R=301,QSA,L]

hayalci

or better;

RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} ^$ [OR]
RewriteCond %{QUERY_STRING} ^(.*action=logout)$
RewriteRule ^(.*) https://xxxxxx.com/roundcube/$1 [R=301,L]

RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} !^(.*action=logout)$
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://xxxxxx.com/roundcube/$1 [R=301,QSA,L]

melgior1

I was using hayaici's code and discovered that I couldn't add contacts to the addressbook anymore, because then roundcube submits a form without a query string, triggering the first rule and redirecting the user to a secure login page. So I added the condition that the method should be 'GET' and not 'POST', and now it works fine.

Also I discovered that most images where being loaded using https, so I added another RewriteCond to prevent URLs with a file extension from being parsed.

Thanks to all for this solution, it works perfectly without messing around in the webmail sourcecode. I hope that in RoundCube 1.0 it will just be a config option to use SSL for logins, as it is in other systems like Moodle.

RewriteEngine On

RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} !\..+$
RewriteCond %{QUERY_STRING} ^$ [OR]
RewriteCond %{QUERY_STRING} ^(.*action=logout)$
RewriteRule ^(.*) https://www.example.com/roundcube/$1 [R=301,L]

RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} !^(.*action=logout)$
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://www.example.com/roundcube/$1 [R=301,QSA,L]

PS: You have to remove the trailing slash from the RewriteRule URI's when you're on Apache 1.3 to prevent double slashes