Roundcube Community Forum
Release Support => Older Versions => 0.1 beta 2 => Topic started by: Adam on April 24, 2007, 02:37:02 AM
-
Morning guys and gals,
I have searched but can't quite find an answer to my question, apologies if it has been asked before.
I know I can secure Roundcube using my ssl but what I would like to do is only secure the log in page. So if someone goes to http://mail.domain.net or https://mail.domain.net when they click on submit the log on details are sent securely. Once inside roundcube it goes back to http://.
If it has been answered and someone knows where can you point me to the right thread?
Thanks
Adam :D
-
Agreed. This would be a great feature. Right now I just have eveyone use SSL for the entire session, but that's kind of overkill. SSL just for the authentication would be ideal. I looked at how to change the source to do this myself, but I'm only just learning PHP now. If no-one else gets to it, I'll be happy to tackle it once my skills are up to snuff.
-
I know I can secure Roundcube using my ssl but what I would like to do is only secure the log in page. So if someone goes to http://mail.domain.net or https://mail.domain.net when they click on submit the log on details are sent securely. Once inside roundcube it goes back to http://.
This can be done in apache with modrewrite. The HTTP login page will be redirected to the HTTPS login page, and once logged in you can return to HTTP by the same methodology.
See http://opensource.apress.com/article/61/9-useful-modrewrite-recipes
cluge
-
I know I can secure Roundcube using my ssl but what I would like to do is only secure the log in page. So if someone goes to http://mail.domain.net or https://mail.domain.net when they click on submit the log on details are sent securely. Once inside roundcube it goes back to http://.
This can be done in apache with modrewrite. The HTTP login page will be redirected to the HTTPS login page, and once logged in you can return to HTTP by the same methodology.
See http://opensource.apress.com/article/61/9-useful-modrewrite-recipes
cluge
Any idea how.. I must confess to not being the best with modrewrite and the examples at the above link don't really help me :-\
-
I've been talking to a colleague about this and he doesn't seem to think that we can use. htaccess as Roundcube uses AJAX and doesn't do a full postback. Just some javascript calls in the background. So for now I'm going to keep the whole thing SSL'd but would be interested if anyone figures it out.
There must be a way.... lol
Ad
-
We have worked it out...
pop this in your htaccess file..
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^(.*) https://mail.domain.tld/$1 [R=301,L]
RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://mail.domain.tld/$1 [R=301,QSA,L]
I should add that this should be added to what is alread in the htaccess file in your roundcube installation folder.
Ad
-
Hi, thanks for the info, it was very helpful. There was a little problem though. When the user clicks on "logout" the login page that appears was unencrypted, and the password was transmitted in cleartext [ tested with tcpdump ] The following fixes the problem.
RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^(.*) https://xxxxxx.com/roundcube/$1 [R=301,L]
RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} ^(.*action=logout)$
RewriteRule ^(.*) [url]https://xxxxxx.com/roundcube/?%1[/url] [R=301,L]
RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} !^(.*action=logout)$
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://xxxxxx.com/roundcube/$1 [R=301,QSA,L]
-
or better;
RewriteCond %{HTTPS} !=on
RewriteCond %{QUERY_STRING} ^$ [OR]
RewriteCond %{QUERY_STRING} ^(.*action=logout)$
RewriteRule ^(.*) https://xxxxxx.com/roundcube/$1 [R=301,L]
RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} !^(.*action=logout)$
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://xxxxxx.com/roundcube/$1 [R=301,QSA,L]
-
I was using hayaici's code and discovered that I couldn't add contacts to the addressbook anymore, because then roundcube submits a form without a query string, triggering the first rule and redirecting the user to a secure login page. So I added the condition that the method should be 'GET' and not 'POST', and now it works fine.
Also I discovered that most images where being loaded using https, so I added another RewriteCond to prevent URLs with a file extension from being parsed.
Thanks to all for this solution, it works perfectly without messing around in the webmail sourcecode. I hope that in RoundCube 1.0 it will just be a config option to use SSL for logins, as it is in other systems like Moodle.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} !\..+$
RewriteCond %{QUERY_STRING} ^$ [OR]
RewriteCond %{QUERY_STRING} ^(.*action=logout)$
RewriteRule ^(.*) https://www.example.com/roundcube/$1 [R=301,L]
RewriteCond %{HTTPS} =on
RewriteCond %{QUERY_STRING} !^(.*action=logout)$
RewriteCond %{QUERY_STRING} .
RewriteRule ^(.*)$ http://www.example.com/roundcube/$1 [R=301,QSA,L]
PS: You have to remove the trailing slash from the RewriteRule URI's when you're on Apache 1.3 to prevent double slashes