[TYPO3-dev] Solution for TYPO3 backend access via SSL Proxy
Andreas Rieser
A.Rieser at T3site.com
Mon Jan 8 22:48:38 CET 2007
Hello Christian!
Christian Kuhn schrieb:
> Hi,
> I dont understand why typo needs any handling for this at all.
> All my Backends are ssl-enabled on my vhost servers not using
> typo3-logic but mod_rewrite to make it transparent for the user.
Well, no problem - i try to explain it to you.
> My typical setup for a domain is something like this:
> <VirtualHost 123.123.123.123:80>
> ServerName vhostdomain.de
> ...
> RewriteEngine On
> RewriteCond %{SERVER_PORT} ^80$
> RewriteCond %{REQUEST_URI} ^/typo3/
> RewriteCond %{REQUEST_FILENAME} !(.*)\.jpg$
> RewriteCond %{REQUEST_FILENAME} !(.*)\.gif$
> ewriteCond %{REQUEST_FILENAME} !(.*)\.png$
> RewriteRule ^/(.*) https://www.ssldomain.de/vhostdomain/$1
> </VirtualHost>
> This would be similar if placed in a .htaccess. The browser will be
> rewritten to https://www.ssldomain.de/vhostdomain/typo3/ if somebody
> hits http://vhostdomain.de/typo3 , and if its not a image (eg. global or
> system extensions-images linked from the frontend will not be rewritten
> to https).
> One just need to set a link in your ssldomain to your vhostdomain which
> is probably exactly what your provider does for you (or an alias-entry):
> ln -s /path/to/vhostdomain /path/to/ssldomain/vhostdomain
Works perfect, but implements a major security vulnerability.
> $TYPO3_CONF_VARS["BE"]["lockSSL"] or any other parameters are not needed
> as the backend will always be rewritten to https. The user can not
> circumvent this. This works for me at least since TYPO3 3.5.
True, but here comes the point:
Did you ever check the open_basedir parameter? You will find out that
every BE is running without an open base dir restriction. I don't know
if that's ok for you, but for me this is unacceptable!
> Are there any caveats? In which setup will this not work? Where is
> typo-logic needed? What does your patch solve this setup does not? Sry
> if I have lost sight on something and these questions are just stupid.
You will have to set up a reverse proxy to get this solved. There are
afaik 3 possibilities to do so and there are many tutorials on the web
to get started with this. (Alias - this is unacceptable because of the
same problem, special proxy config or with mod_rewrite).
I use the mod_rewrite solution with a mapping file for this. It rewrites
https://www.ssldomain.de/vhostdomain.de/typo3/ internally to
proxy:http://vhostdomain.de/typo3/. The reverse proxy delivers the
requested data. But you have to apply some changes in the
t3lib/class.t3lib_div.php to get this working.
The problem with this is that Typo3 doesn't handle the
HTTP_X_FORWARDED_* environment variables which tell the correct path. As
Typo3 does fetch the wrong parameters in this case it sets up incorrect
paths - so it can't find the cookies and redirects to the wrong url.
+1 to get this in core.
andreas
More information about the TYPO3-dev
mailing list