HTTP and HTTPS on same RT server?

Hi All

The RT mailing list archives seem a bit silent on this one. I need
SelfService tickets to be accessed over HTTP but engineers must login with
HTTPS. So I have enabled both HTTP and HTTPS on apache for my RT server.
By correctly setting the WebBaseURL in RT_SiteConfig.pm to http or https I
can get either one of the two working but not both at the same time. If
http is specified then you cannot submit replies in https and vice versa.

Can anyone please help me to set up so that both are fully functional
simultaneously?

{ RT_SiteConfig pm setting = Set($WebBaseURL , “https://rt.attix5.com”); }

Thanks
Danie

Can someone perhaps just confirm that an HTTP and HTTPS combination is not
possible?

ThanksFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Danie Marais
Sent: 22 February 2008 10:24 AM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] HTTP and HTTPS on same RT server?

Hi All

The RT mailing list archives seem a bit silent on this one. I need
SelfService tickets to be accessed over HTTP but engineers must login with
HTTPS. So I have enabled both HTTP and HTTPS on apache for my RT server.
By correctly setting the WebBaseURL in RT_SiteConfig.pm to http or https I
can get either one of the two working but not both at the same time. If
http is specified then you cannot submit replies in https and vice versa.

Can anyone please help me to set up so that both are fully functional
simultaneously?

{ RT_SiteConfig pm setting = Set($WebBaseURL , “https://rt.attix5.com”); }

Thanks
Danie

ATT00041.txt (321 Bytes)

Danie Marais wrote:

Can someone perhaps just confirm that an HTTP and HTTPS combination is
not possible?

Thanks
I don’t see why it wouldn’t be possible. You can have both an HTTP and
an HTTPS site serving the same pages, and then redirect people between
the two based on certain conditions, probably logged in user, or even
based on a custom field.

Is there any reason why you don’t want to use HTTPS for both SelfService
users and engineers?

Can someone perhaps just confirm that an HTTP and HTTPS
combination is
not possible?

Thanks

I don’t see why it wouldn’t be possible. You can have both an HTTP and
an HTTPS site serving the same pages, and then redirect people between
the two based on certain conditions, probably logged in user, or even
based on a custom field.

Is there any reason why you don’t want to use HTTPS for both
SelfService
users and engineers?

I’m not keen to buy an expensive web certificate. SelfService does not
warrant that level of security, but engineers can be instructed to import
the web certificate. And HTTP requires slightly less resources.

My current problem is that by correctly setting the WebBaseURL in
RT_SiteConfig.pm to http or https I can get either one of the two working
but not both at the same time. If http is specified then you cannot submit
replies in https and vice versa.

I encountered this problem and solved it for RT 3.6.5.

From what I saw, the problem was in RT::Interface::Web::Redirect() function
that is called from html/Ticket/Display.html (and other places). It
redirected the browser to a URL based on $RT::WebURL configuration only. So
it always redirected to a “http” or “https” scheme URL based on the
configuration.

I changed the function to redirect to URL based on the current scheme
(http/s):

In file local/lib/RT/Interface/Web_Local.pm:

-------------------------- Begin File --------------------------------
package RT::Interface::Web;

sub Redirect {
my $redir_to = shift;
untie $HTML::Mason::Commands::session;
my $uri = URI->new($redir_to);
my $server_uri = URI->new($RT::WebURL);

# If the user is coming in via a non-canonical
# hostname, don't redirect them to the canonical host,
# it will just upset them (and invalidate their credentials)
if ($uri->host  eq $server_uri->host && 
    $uri->port eq $server_uri->port) {
        $uri->host($ENV{'HTTP_HOST'});
        $uri->port($ENV{'SERVER_PORT'});
    }

# Explicitly set scheme to http/s according to the current request

coming in
my $scheme = ($ENV{‘HTTPS’} == “on” ? “https” : “http”);
$uri->scheme($scheme);

$HTML::Mason::Commands::m->redirect($uri->canonical);
$HTML::Mason::Commands::m->abort;

}

1;
-------------------------- End File --------------------------------

Eynat-----Original Message-----
From: Danie Marais [mailto:danie.marais@attix5.com]
Sent: Tuesday, 26 February 2008 12:38 PM
To: ‘Oliver Jeeves’
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] HTTP and HTTPS on same RT server?

Can someone perhaps just confirm that an HTTP and HTTPS
combination is
not possible?

Thanks

I don’t see why it wouldn’t be possible. You can have both an HTTP and
an HTTPS site serving the same pages, and then redirect people between
the two based on certain conditions, probably logged in user, or even
based on a custom field.

Is there any reason why you don’t want to use HTTPS for both
SelfService
users and engineers?

I’m not keen to buy an expensive web certificate. SelfService does not
warrant that level of security, but engineers can be instructed to import
the web certificate. And HTTP requires slightly less resources.

My current problem is that by correctly setting the WebBaseURL in
RT_SiteConfig.pm to http or https I can get either one of the two working
but not both at the same time. If http is specified then you cannot submit
replies in https and vice versa.

Eynat,

Thanks very much for your response. I added the file as you suggested. I
also changed WebURL to http (not https). Now HTTPS works fine - I can
submit and reply to a ticket.

When I log in to selfservice via HTTP my browser (IE) tries to connect to
https://rt.mydomain.com:80/SelfService/
instead of http (after the login screen). I have searched RT_SiteConfig.pm
and cannot find a reference to ‘HTTPS’ anywhere…

BTW I am on RT 3.6.6.

Danie

Danie Marais wrote:

Can someone perhaps just confirm that an HTTP and HTTPS

combination is

not possible?

Thanks

I don’t see why it wouldn’t be possible. You can have both an HTTP and
an HTTPS site serving the same pages, and then redirect people between
the two based on certain conditions, probably logged in user, or even
based on a custom field.

Is there any reason why you don’t want to use HTTPS for both
SelfService
users and engineers?

I’m not keen to buy an expensive web certificate. SelfService does not
warrant that level of security, but engineers can be instructed to import
the web certificate. And HTTP requires slightly less resources.

My current problem is that by correctly setting the WebBaseURL in
RT_SiteConfig.pm to http or https I can get either one of the two working
but not both at the same time. If http is specified then you cannot submit
replies in https and vice versa.

For rt.openssl.org the problem is “solved” by having a separate Apache
instance just running RT on some internal port number and then let the
frontend Apache handle the http/https protocols.

<VirtualHost 195.30.6.166:80>
# server information
ServerName rt.openssl.org
ServerAlias rt.openssl.org
ServerAdmin openssl-team@openssl.org
ServerSignature on
UseCanonicalName on
ProxyPass / http://195.30.6.166:abcd/
ProxyPassReverse / http://195.30.6.166:abcd/

<VirtualHost 195.30.6.166:443>
# server information
ServerName rt.openssl.org
ServerAlias rt.openssl.org
ServerAdmin openssl-team@openssl.org
ServerSignature on
UseCanonicalName on
ProxyPass / http://195.30.6.166:abcd/
ProxyPassReverse / http://195.30.6.166:abcd/

So far I have not seen any malfunction.

Best regards,
Lutz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Umm, SSL Certs are $20 a year, lol

Matt Westfall
Owner / Operator
FiftyPounds Internet

This message is digitally signed with Pretty Good Privacy (PGP)
Info: Pretty Good Privacy - Wikipedia

Lutz Jaenicke wrote:
| Danie Marais wrote:
|>
|>
|>>> Can someone perhaps just confirm that an HTTP and HTTPS
|>>>
|>> combination is
|>>
|>>> not possible?
|>>>
|>>> Thanks
|>>>
|>
|>> I don’t see why it wouldn’t be possible. You can have both an HTTP and
|>> an HTTPS site serving the same pages, and then redirect people between
|>> the two based on certain conditions, probably logged in user, or even
|>> based on a custom field.
|>>
|>> Is there any reason why you don’t want to use HTTPS for both
|>> SelfService
|>> users and engineers?
|>>
|> I’m not keen to buy an expensive web certificate. SelfService does not
|> warrant that level of security, but engineers can be instructed to import
|> the web certificate. And HTTP requires slightly less resources.
|>
|> My current problem is that by correctly setting the WebBaseURL in
|> RT_SiteConfig.pm to http or https I can get either one of the two working
|> but not both at the same time. If http is specified then you cannot
submit
|> replies in https and vice versa.
|>
|>
| For rt.openssl.org the problem is “solved” by having a separate Apache
| instance just running RT on some internal port number and then let the
| frontend Apache handle the http/https protocols.
|
| <VirtualHost 195.30.6.166:80>
| # server information
| ServerName rt.openssl.org
| ServerAlias rt.openssl.org
| ServerAdmin openssl-team@openssl.org
| ServerSignature on
| UseCanonicalName on
| ProxyPass / http://195.30.6.166:abcd/
| ProxyPassReverse / http://195.30.6.166:abcd/
|
|
| <VirtualHost 195.30.6.166:443>
| # server information
| ServerName rt.openssl.org
| ServerAlias rt.openssl.org
| ServerAdmin openssl-team@openssl.org
| ServerSignature on
| UseCanonicalName on
| ProxyPass / http://195.30.6.166:abcd/
| ProxyPassReverse / http://195.30.6.166:abcd/
|
|
|
| So far I have not seen any malfunction.
|
| Best regards,
| Lutz
| _______________________________________________
| The rt-users Archives
|
| Community help: http://wiki.bestpractical.com
| Commercial support: sales@bestpractical.com
|
|
| Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
| Buy a copy at http://rtbook.bestpractical.com

Matt Westfall
Owner / Operator
FiftyPounds Internet

This message is digitally signed with Pretty Good Privacy (PGP)
Info: Pretty Good Privacy - Wikipedia

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHxBp6b/8X6V5MpAURAm08AJ9tcpPZ+UU8/ey0WntWb/0/NXLaxgCdEwMe
k/JX7Kh++QtXokZYpkSVlJk=
=Nkl9
-----END PGP SIGNATURE-----

Matt,

Maybe I am daft, but the SSL cert sites I looked at listed it at $399 per
year. Where can you get $20 certs?

Matt,

Maybe I am daft, but the SSL cert sites I looked at
listed it at $399 per
year. Where can you get $20 certs?

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf
Of Matt Westfall
Sent: 26 February 2008 03:56 PM
To: Lutz Jaenicke
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] HTTP and HTTPS on same RT
server?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Umm, SSL Certs are $20 a year, lol

You can generate your own SSL certs for free. The
only reason you’d want to buy them from Thawt ($150
ish), or super gold plated Ferrari certificates from
VeriSign ($900) is if you don’t want browsers to
complain due to an unknown Certificate Authority. If
your RT systems aren’t going to be on the Internet
and/or you don’t care about the warnings, you can
generate your own certificates using openssl, and set
them to expire in 50 years.

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. Home | Yahoo Mobile

Better yet, import the self-generated CA cert (that you used to sign each
of your SSL certs) into each browser as a trusted root certificate
authority and no more warnings…

James Moseley

You can generate your own SSL certs for free. The
only reason you’d want to buy them from Thawt ($150
ish), or super gold plated Ferrari certificates from
VeriSign ($900) is if you don’t want browsers to
complain due to an unknown Certificate Authority. If
your RT systems aren’t going to be on the Internet
and/or you don’t care about the warnings, you can
generate your own certificates using openssl, and set
them to expire in 50 years.

-----Original Message-----
From: Joseph Spenner [mailto:joseph85750@yahoo.com]
Sent: 26 February 2008 04:23 PM
To: Danie Marais; erkdog@fiftypounds.com
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] HTTP and HTTPS on same RT server?

Matt,

Maybe I am daft, but the SSL cert sites I looked at
listed it at $399 per
year. Where can you get $20 certs?

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf
Of Matt Westfall
Sent: 26 February 2008 03:56 PM
To: Lutz Jaenicke
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] HTTP and HTTPS on same RT
server?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Umm, SSL Certs are $20 a year, lol

You can generate your own SSL certs for free. The
only reason you’d want to buy them from Thawt ($150
ish), or super gold plated Ferrari certificates from
VeriSign ($900) is if you don’t want browsers to
complain due to an unknown Certificate Authority. If
your RT systems aren’t going to be on the Internet
and/or you don’t care about the warnings, you can
generate your own certificates using openssl, and set
them to expire in 50 years.

There is a self-signed cert on the box. But we need to give Internet access
to customers and do not want them to get a certificate warning. So they
must either use http or we must have a valid cert. According to
www.thawte.com they ask $249 for a new cert and $199 for a renewal.

First prize for me would still be a http/https combination with customers
using http.

Danie, if you’ve got customers using RT and you want them to use SSL, then
pay up for a legitimate certificate.

James Moseley

There is a self-signed cert on the box. But we need to give Internet
access
to customers and do not want them to get a certificate warning. So they
must either use http or we must have a valid cert. According to
www.thawte.com they ask $249 for a new cert and $199 for a renewal.

First prize for me would still be a http/https combination with customers
using http.

James,

I do not need SSL for the customers. Only for internal techies.

Pending on which country, but data protection is worth a lot more than
$249 …
I am sure your customer 's data is worth a lot more than that … http is
insecure.

Roy

jmoseley@corp.xanadoo.com wrote:

jmoseley@corp.xanadoo.com wrote:

Better yet, import the self-generated CA cert (that you used to sign each
of your SSL certs) into each browser as a trusted root certificate
authority and no more warnings…

This is a pretty bad idea unless you are living in a closed system.
If I add the “xanadoo.com” root CA to my trusted root CAs my browser
would stop warning me if I hit a https://www.mytrustedbank.com/ forged
website with a certificate signed by the “xanadoo.com” root CA.
The trust model used with typical browsers is such that you better only
add those root certificates you really trust and don’t add lots of
home grown root CAs on the way.

Best regards,
Lutz
PS. Please no new discussion about how trustworthy Verisign et al might
ultimatively be as root CAs. That’s a topic of its own.

Can someone perhaps just confirm that an HTTP and HTTPS combination
is not possible?

It mostly works. the problem is you can only specify one address as
the $WebBaseURL. On our instance, we can access it via either http or
https, but at some point you might get redirected to the https version
because that’s what our base is.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Godaddy sells valid ssl certs for 20 a year. rolls eyes
Matt Westfall
Owner / Operator
FiftyPounds Internet

This message is digitally signed with Pretty Good Privacy (PGP)
Info: Pretty Good Privacy - Wikipedia

Lutz Jaenicke wrote:
| jmoseley@corp.xanadoo.com wrote:
|> Better yet, import the self-generated CA cert (that you used to sign each
|> of your SSL certs) into each browser as a trusted root certificate
|> authority and no more warnings…
|>
|>
| This is a pretty bad idea unless you are living in a closed system.
| If I add the “xanadoo.com” root CA to my trusted root CAs my browser
| would stop warning me if I hit a https://www.mytrustedbank.com/ forged
| website with a certificate signed by the “xanadoo.com” root CA.
| The trust model used with typical browsers is such that you better only
| add those root certificates you really trust and don’t add lots of
| home grown root CAs on the way.
|
| Best regards,
| Lutz
| PS. Please no new discussion about how trustworthy Verisign et al might
| ultimatively be as root CAs. That’s a topic of its own.
| _______________________________________________
| The rt-users Archives
|
| Community help: http://wiki.bestpractical.com
| Commercial support: sales@bestpractical.com
|
|
| Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
| Buy a copy at http://rtbook.bestpractical.com

Matt Westfall
Owner / Operator
FiftyPounds Internet

This message is digitally signed with Pretty Good Privacy (PGP)
Info: Pretty Good Privacy - Wikipedia

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHxMQRb/8X6V5MpAURAhYGAJ9JgNZWpPXf6tEQ09RnA4klWvqIqQCgjjuC
2i+nHaUoq602tvKO3V/H/CQ=
=kYP4
-----END PGP SIGNATURE-----