PDA

View Full Version : Found a way to force / require SSL access using shared SSL!



andz
02-26-2007, 06:53 AM
First of all, for the majority of purposes SSL has to be forced otherwise it is of little use. Thus having shared SSL without the ability to force its use makes it of minor utility.

The problem is all the different approaches I've seen here and in other forums do not work because for some reason Westhost has a perversely different setup. (One almost thinks there is a conspiracy to prevent shared SSL from being used for forced SSL access :rolleyes: )

For example:

1) forget about using SSLRequireSSL because it just doesn't work

2) forget about using mod_rewrite, RewriteCond fails because the variables you need to compare against are either not available or do not return values as expected. Without RewriteCond however, any successful rewrite will always result in a loop.


However there IS a straightforward and easy way to get it to work, just use the "Redirect" directive either in .htaccess or httpd.conf! So if for example you want to force SSL access to http://mysite.com/blah1, in /var/www/html/blah1/.htaccess, put in the following line:

Redirect / https://ssl4.westserver.net/mysite.com/blah1/


Now, let's just hope WH doesn't disable that ;)

Any comments on any problems or cons of this approach, do post on this thread. Thanks!

andz
02-26-2007, 07:12 AM
^ Scratch that. It turns out the above solution also loops...

It worked one time... and then failed afterwards :(

midatabase
09-09-2007, 08:01 PM
Can anyone suggest a new method of how to force the URL to use the shared SSL address? I tried mod_rewrite, but it doesn't seem to work.

One would think that WestHost would tell us what to do, because without forcing the secure page, the shared SSL feature is almost worthless.

PS - (Bump x 1000)

corvus
09-11-2007, 02:19 PM
It's been a while since I've used the shared SSL stuff, but I remember the source IP being changed to be the west host server. Basically, west host proxies the request through a server with a valid ssl cert.

If this is still the case, couldn't you check to make sure that it's coming from one of the proxy servers and restrict on that?

The only risk here would be if they moved the proxies.