SSL for only Authenticated users

rajibmp's picture

I have been using Perusio's Nginx config in FreeBSD and Ubuntu without any problem. The only thing I couldn't understand is it redirects to HTTPS whenever I visit the site. I want to make my site accessible via plain HTTP for all users and HTTPS for registered/logged-in users.

I haven't changed any HTTPS config in FCGI or other place, I just declared the SSL certificates and keys, now whenever I visit the site, I am accessing HTTPS (even for anonymous users). I tried clearing all caches in my browser and also using private browsing but I am again forced to HTTPS. Im using D7, PHP-FPM, Nginx

Comments

The recipe

perusio's picture
  1. You need to configure both a HTTP and a HTTPS vhost.

  2. By default all requests are handled by the HTTP vhost.

  3. When there's the Drupal cookie all requests are handled by the HTTPS host.

I'll skip the vhost configuration part and proceed immediately to the handling of the session cookie.

At the http level do:

### Map directives for SSL redirect of authenticated users.
map $http_cookie $is_secure {
    default 0;
    ~SESS 1;
}

## When we're over https do not do any redirect. This is needed to
## avoid redirection loops.
map $scheme $is_secure {
    https 0;
}

In the HTTP host at the server level do:

if ($is_secure) {
    return 302 https://$host$request_uri;
}

I'm assuming that the hostname for the HTTPS and HTTP site is the same.

It might also be

brianmercer's picture

It might also be strict-transport-security.

See http://groups.drupal.org/node/217384

Hmm, not sure

perusio's picture

that STS is the way to go. It's certainly the case if you want to enforce a strict transport policy. I believe the OP was asking for a way to redirect users with the session cookie to a secure host. STS is handled strictly client side once set you have no control over it from the server side.

Thank you for replies, I will

rajibmp's picture

Thank you for replies, I will try your suggestion Perusio. in STS the max age = 7200, which doesn't sound too much to me. However, I am just wondering that D7 sets the cookie in Firefox for anonymous users too. I have used Pressflow. I cannot read through the Cookie, but it has non-encrypted name "has_js".

It shouldn't set

perusio's picture

any session cookie whatsoever if not logged in for D7 or Pressflow. That's handled at the server side. Please empty your browser cookie jar and retry.

Perhaps I misunderstood the

brianmercer's picture

Perhaps I misunderstood the original issue. I thought the problem was that whenever the op visited his site, he was redirected to https; and he didn't want that behavior.

I was suggesting that the behavior was caused by STS and not a cookie.

With STS enabled, once you visit the https version, your browser redirects you to https for the designated period and will not allow you to go to the http version. That is its function.

It's true that

perusio's picture

having the STS setting makes that happen automagically. I understood that the OP wanted just to make logged in users go over HTTPS and all other over HTTP. Hence the suggestion. He can set STS if he wants to. But then it should reduce the max-age to a couple of seconds, 180, 200 maximum.

sorry it took me a bit more

rajibmp's picture

sorry it took me a bit more time to test this, I wasn't sure what was wrong. I did exactly what Perusio suggested. I can log in as admin, but while loggin in it doesn't redirect me to HTTPS. Here's the step I did:

Opened the link in browser with HTTP
Logged in to admin section-> Here it doesn't redirect me to HTTPS
I hit the HTTPS by myself in the browser just before the link
Now I am successfully running the whole site as HTTPS, no any obstacle here
When I log out, I am redirected to HTTP, that is Normal
I again did HTTPS in browser before logging in-> its all fine
I log in again and use HTTPS without any problem.
I log out again and again redirected to HTTP
But when I log again -> again HTTP after loggin in no HTTPS.

I was coying, if that is something to do with self signed certificate ? Since I am still in development and in localhost, I am using self signed SSL, is this the culprit ?

EDIT

Now it doesn't redirect to HTTPS while logging too. I did https://localhost before logging, I can use the whole site as HTTPS without logging, but when I logged in, I got back to HTTP. I can manually do HTTPS after loggin in and it works fine to browse the site.

Well it's a bit tricky

perusio's picture

Have you tried changing pages after logging in? It should work.

Ideally this needs to be handled at the app layer also. What you could do to make it simpler is:

  1. Disable the login block.

  2. Place the /user location over HTTPS. Add to your config of the HTTP vhost:

    location ^~ /user {
        return 302 https://$host$request_uri;
    }

Try it out.

cannot log in after disabling login block

rajibmp's picture

I even tried with /user /user/ /admin /admin/ locations, still the same issue as above. And disabling the user login block, doesn't let me/user login to backend.

as far as I understand the logic, this should work perfectly. I guess the self signed SSL certificate might be the culprit. The same old problem in my machine, even after clearing the browser cache and history. I will test this once we order the SSL from some trusted company.

I will also check if we can haldle this via application, but I was wondering if it'd leave some security hole. I was even refering your Porto Nginx hack session in gist, but it looks the culprit is SSL Certificate rather than server config.

Obrigada Perusio for your effort. I will return to inform, once we test with REAL SSL Certificate.