[Setup] Possible problem with CSS + VHM in Apache SSL, or is it just me?

albieback alberto at alopes.com
Mon Jun 16 03:19:59 UTC 2008

Dear friends,

I am not sure if this is the right place to post this. If not, please
redirect me.

I needed to set my plone 3.0 site like this:

1 - If the user went into http://www.mysite.com, they should see the site
ok. I deactivated login portlet. 
2 - But I wanted to make sure that the login info should be sent by https
(so I could feel secure about not having the user credentials leaking
around), and that the login form should also be served by https (so that the
user could see the nice padlock thingy and feel secure about filling in the
username and password)
3 - If the user put the wrong credentials (meaning /login_failed) or clicked
on the logout link (meaning /logout), the login form would appear again, and
again it should be served by https.

My solution was implemented using some of the how-tos in the docs area: I
set up an Apache installation, with mod_proxy, mod_proxy_http, mod_ssl and
mod_rewrite all enabled. 

I created two virtual hosts, on port 80 (let's call it VH80) and 443

In both of them, I activated the RewriteEngine, and wrote a couple of
RewriteRules to make apache work with VHM alright:

a - For VH80, these are the rules:

RewriteRule ^/login_(.*) https://www.mysite.com/login_$1 [R,L]
RewriteRule ^/logged_(.*) https://www.mysite.com/logged_$1 [R,L]
RewriteRule ^/logout(.*) https://www.mysite.com/logout$1 [R,L]

RewriteRule ^/(.*)

So, if any of the should-be-served-by-https pages were hit, R flag forces
the browser to redirect. If any other URL were hit, apache proxies the
request to Zope and VHM should rewrite the "internal" URLs.

b - For VH443, these are the rules:

RewriteRule ^/login_(.*)

RewriteRule ^/logged_(.*)

RewriteRule ^/logout(.*)

RewriteRule ^/(.*) http://www.mysite.com/$1 [R,L]

So, if any of the should-be-served-by-https pages were hit, the request is
proxied to Zope, with info for VHM to rewrite internal URLs to keep the
complete page in https land. If any other URL were hit, the R flag would
force the browser to redirect back to http land.

It works. Almost flawless, but one important thing is wrong.

When I go to any of the three should-be-served-by-https pages, IE give me
the "This page contains both secure and nonsecure items. Do you want to
display the nonsecure items?", and it doesn't show my desired padlock.
Firefox just shows the crossed padlock.

Both of them are telling me the page contains http content. And that is
right: when, say, the https login_form is served, it links to some https js,
css and gif files. But my rules redirect any should-not-be-served-by-https
content to http, and that includes those js, css and gifs. 

My final solution was to create some more rules in VH443 to proxy css, js,
png, gif and jpg files, hoping that that is all the "included" content. That
worked, and now my login_form and similar pages show the secure padlock to
the user, the passwords are all sent encrypted and the rest of the site is
served via http in order to keep up the performance.

But this solution seems a little bit flawed: what if I change the theme and
the new theme includes an unpredicted kind of content (say, a Flash swf
file)? My solution feels a little "too hardcoded" to me.

I would appreciate any comments on my solution, and views on what better
strategies there are for the above situation.

Best regards,


View this message in context: http://www.nabble.com/Possible-problem-with-CSS-%2B-VHM-in-Apache-SSL%2C-or-is-it-just-me--tp17857249s15482p17857249.html
Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com.

More information about the Setup mailing list