[Mailman-Users] Web Admin Security Question

[C Nulk]

Hello Dennis,

If you are using the CentOS 5 and installed Apache as part of the
install, you should have a file called 'ssl.conf' in the
'/etc/httpd/conf.d/' directory.  Have you set up that file correctly? 
When I set up my system, I needed to make a few changes to that file. 
In my file, I have a virtual host ("_default_") and within the virtual
host configuration there is a switch to turn on the SSL Engine called
"SSLEngine"  values are on or off.  Make sure it is on.  Also, make sure
your certificates are correct in the file.  For your ssl logs, the file
may be pointing your logs to a different location other than
/var/log/httpd, but I doubt it.  Check to be sure.

As for redirecting from http to https, here are my rules (in a file
called mailman.conf in /etc/httpd/conf.d along with other mailman rules):

   RedirectMatch ^/mailman[/]*$  https://%{HTTP_HOST}/mailman/listinfo
   RedirectMatch ^[/]*$                  
https://%{HTTP_HOST}/mailman/listinfo

although instead of %{HTTP_HOST} I have the actual hostname.

I also don't bother with the rewrite rules, like turning the rewrite
engine on etc..  I do load the rewrite_module ('modules/mod_rewrite.so)
but so far, I have needed to use it.  The Redirect set of commands use
the mod_alias module.  It seems to work for me.

Good Luck,
Chris

On 5/23/2012 5:37 AM, Dennis Putnam wrote:
> Thanks and you are, of course, correct. I knew that but I was desperate
> to try to get something, anything, working. I did fix it but since the
> more generic version did not work, it is not a surprise that the more
> specific rule does not work either.
>
> Yes I did check all the logs I could thing of but nothing that indicates
> it even ran a rewrite rule. I don't see anything in the ssl_access or
> error logs either so that tells me ssl is never being used. Does that
> not imply that the rewrite engine is not working?
>
> When I use http://... it brings up the correct page. As I said
> originally, everything works if I use http or if I manually use https.
> It is forcing https that doesn't. Once again it seems to be pointing to
> the rewrite engine not working.
>
> On 5/22/2012 2:25 PM, Mark Sapiro wrote:
>> Dennis Putnam wrote:
>>> I assume you mean the entire mailman site as opposed to the entire web
>>> site.
>> No. I meant the entire web site. Just because you put something in
>> /etc/httpd/conf.d/mailman.conf doesn't make it magically just apply to
>> Mailman. It depends on where in httpd.conf that file is included.
>>
>> In a normal Centos distro, the
>>
>> Include conf.d/*.conf
>>
>> directive is in the Global Environment section of httpd.conf and thus
>> anything in any of the included files affects or at least sets a
>> default for the entire site.
>>
>> If you want to force https only for Mailman CGIs, your rewrite rule
>> should be something like
>>
>> RewriteRule ^/mailman(/.*)  https://%{HTTP_HOST}/mailman$1   [L,R]
>>
>> If you want to include forced https for public archive access (why
>> would you?), maybe something like
>>
>> RewriteRule ^/pipermail(/.*)  https://%{HTTP_HOST}/pipermail$1   [R]
>> RewriteRule ^/mailman(/.*)  https://%{HTTP_HOST}/mailman$1   [L,R]
>>
>> or
>>
>> RewriteRule ^/(mailman|pipermail)(/.*) https://%{HTTP_HOST}/$1$2 [L,R]
>>
>> would be appropriate.
>>
>>
>>> Yes, that is what I want. Yes, it SHOULD work but doesn't. The
>>> main problem is that there are no errors anywhere I can find and I have
>>> no idea how to debug this.
>> Have you looked in all the httpd logs (/var/log/httpd/*log)?
>>
>> What actually happens when you go to
>> <http://www.example.com/mailman/admin/>?
>>
>
>
>
> ------------------------------------------------------
> Mailman-Users mailing list Mailman-Users at python.org
> http://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: http://mail.python.org/mailman/options/mailman-users/cnulk%40scu.edu