HTTPS for login page only

Anything that you think should be in Cacti.

Moderators: Moderators, Developers

Post Reply
Author
Message
helzerr
Cacti User
Posts: 54
Joined: Sun Feb 01, 2004 3:10 am
Location: Orlando, FL
Contact:

HTTPS for login page only

#1 Post by helzerr » Fri Jun 29, 2012 6:42 am

As user sonador requested in this thread: http://forums.cacti.net/viewtopic.php?f=21&t=45825

Neither Apache redirect nor the SSL plugin serve this purpose, as they both result in all pages being delivered via HTTPS. In some environments, its only necessary and desirable to secure the login page, while not incurring the overhead of HTTPS for the other pages.

ndberry
Posts: 2
Joined: Thu Jul 05, 2012 3:56 pm

Re: HTTPS for login page only

#2 Post by ndberry » Thu Jul 05, 2012 4:07 pm

Isnt this doable with a rewrite condition that is set only to the login page?

helzerr
Cacti User
Posts: 54
Joined: Sun Feb 01, 2004 3:10 am
Location: Orlando, FL
Contact:

Re: HTTPS for login page only

#3 Post by helzerr » Wed Jul 11, 2012 2:41 pm

To an extent, yes - however, the index.php page appears to be written to use relative URLs, so the rewrite may work well for the index.php page but not for the content within. This results in security alerts from modern browsers which prefer not to mix http & https content on the same page... Hence why it would be desirable for a setting to exist which would use https for all URLs in the index.php page only.

I have tried to address this with mod_rewrite, but never achieved the desired results. Perhaps it's my mod_rewrite foo which is lacking?

hoonry
Posts: 1
Joined: Wed Mar 06, 2013 7:02 am

Re: HTTPS for login page only

#4 Post by hoonry » Wed Mar 06, 2013 7:06 am

helzerr wrote:in security alerts from modern browsers which prefer not to mix http & https content on the same page... Hence why it would be desirable for a setting to exist which would use https for all URLs in the index.php page only.
Yes those security alerts I get are often unsettling, the only issue with using https for all URLs is loading speed, this is why https is not used everywhere, site speed is important too. You need to balance functionality and security.
Henry

cigamit
Developer
Posts: 2780
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Re: HTTPS for login page only

#5 Post by cigamit » Thu May 23, 2013 4:32 pm

You could modify 1 line of the SSL plugin to only require SSL on the login page. You would then want it to force it to redirect page if not on the login page though, so another 3 lines.

Post Reply