[TYPO3-dev] Solution for TYPO3 backend access via SSL Proxy

Andreas Rieser A.Rieser at T3site.com
Mon Jan 8 22:48:38 CET 2007 

Hello Christian!

Christian Kuhn schrieb:
> Hi,
> I dont understand why typo needs any handling for this at all.
> All my Backends are ssl-enabled on my vhost servers not using
> typo3-logic but mod_rewrite to make it transparent for the user.

Well, no problem - i try to explain it to you.

> My typical setup for a domain is something like this:
> <VirtualHost 123.123.123.123:80>
> 	ServerName vhostdomain.de
> 	...
> 	RewriteEngine On
> 	RewriteCond   %{SERVER_PORT}  ^80$
> 	RewriteCond   %{REQUEST_URI}  ^/typo3/
> 	RewriteCond   %{REQUEST_FILENAME}       !(.*)\.jpg$
> 	RewriteCond   %{REQUEST_FILENAME}       !(.*)\.gif$
> 	ewriteCond   %{REQUEST_FILENAME}       !(.*)\.png$
> 	RewriteRule   ^/(.*) https://www.ssldomain.de/vhostdomain/$1
> </VirtualHost>
> This would be similar if placed in a .htaccess. The browser will be
> rewritten to https://www.ssldomain.de/vhostdomain/typo3/ if somebody
> hits http://vhostdomain.de/typo3 , and if its not a image (eg. global or
> system extensions-images linked from the frontend will not be rewritten
> to https).
> One just need to set a link in your ssldomain to your vhostdomain which
> is probably exactly what your provider does for you (or an alias-entry):
> ln -s /path/to/vhostdomain /path/to/ssldomain/vhostdomain

Works perfect, but implements a major security vulnerability.

> $TYPO3_CONF_VARS["BE"]["lockSSL"] or any other parameters are not needed
> as the backend will always be rewritten to https. The user can not
> circumvent this. This works for me at least since TYPO3 3.5.

True, but here comes the point:

Did you ever check the open_basedir parameter? You will find out that
every BE is running without an open base dir restriction. I don't know
if that's ok for you, but for me this is unacceptable!

> Are there any caveats? In which setup will this not work? Where is
> typo-logic needed? What does your patch solve this setup does not? Sry
> if I have lost sight on something and these questions are just stupid.

You will have to set up a reverse proxy to get this solved. There are
afaik 3 possibilities to do so and there are many tutorials on the web
to get started with this. (Alias - this is unacceptable because of the
same problem, special proxy config or with mod_rewrite).

I use the mod_rewrite solution with a mapping file for this. It rewrites
https://www.ssldomain.de/vhostdomain.de/typo3/ internally to
proxy:http://vhostdomain.de/typo3/. The reverse proxy delivers the
requested data. But you have to apply some changes in the
t3lib/class.t3lib_div.php to get this working.

The problem with this is that Typo3 doesn't handle the
HTTP_X_FORWARDED_* environment variables which tell the correct path. As
Typo3 does fetch the wrong parameters in this case it sets up incorrect
paths - so it can't find the cookies and redirects to the wrong url.

+1 to get this in core.

andreas

More information about the TYPO3-dev mailing list