Question

With the 4.1.2 distribution and Apache 2, I made a configuration that uses SSL just for authenticated pages and for pages that have password forms. Thus plain-text passwords are never sent unencrypted.

Having non-authenticated accesses without SSL helps to keep down the CPU load; especially in situations where the majority of access will be unauthenticated read accesses.

My configuration uses Apache's RewriteRules, of course. The rules redirect requests from an http to a https server with the same name, and vice versa. Care is taken to provide protection for password-containing forms and correct error messages as well. Changes in LocalSite.cfg are also needed.

I would be willing to provide that configuration and explain it here on the TWiki main site. If you're interested, I would need guidance where such an explanation is best placed - which Web, which parent topic, etc. It is more than 200 lines of configuration (including comments) and needs some additional explanation of the concept, thus I refrained from simply dumping them as a comment into AvoidingPlainTextPasswords.

There is one small drawback in my configuration: It also shortens the URLs, as in ShorterUrlCookbook. (See also the two bugs that I opened in that context ) I would prefer to leave that part of the configuration in at first; since it is tested in that form. Maybe I could change that later. In fact, looking at the other support topics, it might be even more of interest to add some text how one configures an SSL Web server in the first place.

Environment

-- JoachimSchrod - 27 Apr 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Um, Yes please Sounds like a rather useful Cookbook !!

-- SvenDowideit - 28 Apr 2007

That would make a great SSLConfigurationCookbook in the Codev Web, wouldn't it? I always thought TWiki should be configured like that right out of the box. But that would make the setup support even a greater nightmare as it already is (according to Svens latest postings ), i guess.

-- FranzJosefSilli - 28 Apr 2007

yeah, there's a lesson there - if we'd offer fewer options for customisation, upgrading would be totally automated and simple. But no, we have to go and be flexible..... still, this way we're in for infinite fun.

-- SvenDowideit - 28 Apr 2007

Joachim, thanks for your offer to share your work! We would love to get your input! I suggest to create SupplementalDocuments in the TWiki web. For example, a TWiki.HowToConfigureTWikiWithSSL, and a Support.UsingSslForAuthenticationOnly. We can link those topics from the distribution documents.

-- PeterThoeny - 28 Apr 2007

I have started with the proposed topic in Support. After gathering comments and a review round, one could put a consolidated version of that text as a Cookbook in the TWiki web.

Since discussion will probably continue on UsingSslForAuthenticationOnly, I close this question.

-- JoachimSchrod - 30 Apr 2007