https logins only

[sonador]

A lot of the users of the cacti installation which I support use it also outside the office via insecure lines and I have decided to run it on ssl enabled web server.

Https though, increases loading times for graphs, especially for those who have old computers and handling SSL encrypted data on those old machines takes significant time.

Is there any possible way to make cacti only handle logins though https and serve everything else through regular http?


~Cheers~

[noname]

Just google'd:
- Apache: Redirect http to https Apache secure connection – force HTTPS Connections

I'm not sure whether it woks (or not) in Cacti.

[sonador]

I am not sure rewriting would work in the scenario which I am trying to accomplish. The link which you posted will work for general rewriting of all http traffic to https. That's fine but I need only logins to behandled through https.

Even if I do POST rewriting only, data will arrive to the webserver unencrypted and than will be rewriten to https which will again allow man in the middle attack - and I am trying to keep secure the user accounts since they are authenticated against our corporate directory server.

I guess some code modifactions would be needed if I want only logins to be POSTed through https and everything else to use regular http.

Anybody? Any ideas?

[TheWitness]

SSL plugin

http://svn.cacti.net/viewvc/ssl/trunk/?root=Plugins

[sonador]

TheWitness this particular plugin will redirect anything that is not https to https. I am not looking to do this. This is achievable with rewrite rule in apache.

What I would like to do is only handle logins through https and serve everything else through regular http.

Any ideas?

[helzerr]

After much research, I've managed to get mod_rewrite to work, but it's not perfect... Within your <Directory> configuration for Cacti, add:

Code: Select all

        RewriteEngine On

        RewriteCond %{HTTP_HOST}   !^cacti\.domain\.com$ [NC]
        RewriteRule ^(.*)$         https://cacti.domain.com/$1 [R=301,L]
        RewriteRule ^$             /index.php [R=301,L]

        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule ^index.php$    https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

        RewriteCond %{SERVER_PORT} ^443$
        RewriteRule !^index.php$   http://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Of course, adjust "cacti.domain.com" to your own URL.

Certain versions of browsers will complain about mixed content - Chrome asks, "This page has insecure content. [Don't load (recomended)] [Load anyway]" and I.E. will pop up a dialog asking, "Do you want to view only the webpage content that was delivered securely?"

Anyone with better mod_rewrite skills, please chime in. Or perhaps this is something which should be an option in Cacti settings, ala "Secure login page with SSL? [Y] [N]" which then instructs the .php to use https:// URLs in the right places?

[helzerr]

Cross-posted in Feature Requests forum: http://forums.cacti.net/viewtopic.php?f=7&t=47649