Message Boards

  1. Home
  2. Portal
  3. [Resolved] Want to make an HTTPS-only site

[Resolved] Want to make an HTTPS-only site

Josh Bonczkowski, modified 13 Years ago.

[Resolved] Want to make an HTTPS-only site

Junior Member Posts: 59 Join Date: 6/8/10 Recent Posts
I am using Apache (HTTP) server + Liferay 6.0.5 w/ Tomcat. My goal is to create a site that always redirects the user to the secure page and then allows processing to continue.

In my portal-ext.properties file, I already have the following settings

  • web.server.http.port=80
  • web.server.https.port=443
  • web.server.host=<server host name>
  • company.security.auth.requires.https=true


With no extra changes to the Apache server configuration, this will send the user to a secure page only if they select the 'Sign In' link in the top-right of my site. The initial page (http://.../) contains a username/password field, but is then submitted in an *insecure* manner. I validated this with tcpdump.

So, even the above is not enough to at least ensure all logins are done in a secure manner. Additionally, it does nothing for changing passwords in the control panel; password changes are performed on the insecure HTTP port (80).

This led me to look into using Apache to rewrite the URL and forward the user to the secure HTTPS pages regardless of what they request. My configuration page for port 80 in Apache now contains


RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]


Now, when a user hits the front page, they are immediately sent to the secure version. Now signing in uses a secure request.

I found something odd in the control panel though. With the above turned on, the control panel does not seem to function correctly in some cases. First, the control panel seems to use more full URLs instead of relative URLs. Each of these still point to HTTP instead of HTTPS, but they get redirected. Unfortunately, the pop-up about insecure data on a secure page will appear. I also found that links like editing a user or submitting a change don't work correctly.

Go to the Users control panel. Select a user name. Instead of the users content, a blank page comes up.
Go to server Settings control panel. Select Authentication then LDAP. Change a check box and submit the change. This ended up with an infinite bounce between two pages for me.



Apparently, either the above rule isn't working well for Apache or something else is going on.

What is the 'proper' way to ensure secure access to Liferay?

The first method I used was all I could find on the topic in my searches today, but it is not enough as it does not secure all places where a password is typed in.


EDIT: Changed the title to reflect that this was resolved.
Josh Bonczkowski, modified 13 Years ago.

RE: Want to make an HTTPS-only site

Junior Member Posts: 59 Join Date: 6/8/10 Recent Posts
Part of it has been solved. I can now click on links such as a User name with the following updated Apache rule.


RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R,NE]


I added the NE option (No Escape). I'll have to figure out the form submission issue.

From the logs, the insure -> secure redirect is firing off, but of course it is going from a POST to a GET which causes the problem. Sounds like more Apache rewrite magic to uncover.

That is, unless there is a *much* easier way to do this in Liferay emoticon
Josh Bonczkowski, modified 13 Years ago.

RE: Want to make an HTTPS-only site

Junior Member Posts: 59 Join Date: 6/8/10 Recent Posts
The more I play with this, the more I see that it won't work real well.

The main issue is getting the control panel to actual submit data back using relative URLs. It appears that many of the links and buttons are configured to use the insecure port 80 by default even when the page is actually rendered on the secure port 443.

Even that I was making progress on apache rewrites, submitting data (say a password) would first hit the insecure portion of the site, then try and redirect (or proxy) the back to the same page but under a secure URL. The first request already made the data appear in plain text for anyone in the middle.


So, the original question is still valid. How can I tell Liferay to only use the secure port for access?
thumbnail
Amos Fong, modified 13 Years ago.

RE: Want to make an HTTPS-only site

Liferay Legend Posts: 2047 Join Date: 10/7/08 Recent Posts
Hey Josh,

What happens if you set this property?

#
# Set the preferred protocol.
#
web.server.protocol=https
Josh Bonczkowski, modified 13 Years ago.

RE: Want to make an HTTPS-only site

Junior Member Posts: 59 Join Date: 6/8/10 Recent Posts
Ohhh. I'll try that tomorrow AM emoticon

Thanks Amos. I'll report back tomorrow.
Josh Bonczkowski, modified 13 Years ago.

RE: Want to make an HTTPS-only site

Junior Member Posts: 59 Join Date: 6/8/10 Recent Posts
This resolves my problem. I'm very glad to see a Liferay configuration to resolve this.

My first test was to go to the page http://<server>/. This is served up as a insecure page that has a form to submit username/password to login. Opening the page source and locating the form shows that it will be submitted back to the server over the secure HTTPS port.

I also browsed through the control panel and ran the same tests as before. All of them work as expected and the browser stays on the secure port.

Thank you very much for pointing out that configuration option.