Versions Compared

Old Version 5

changes.mady.by.user Brian F Knoll

Saved on

compared with

New Version 6

changes.mady.by.user Brian F Knoll

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

This

...

is

...

a

...

description

...

of

...

how

...

to

...

force

...

SSL

...

on

...

the

...

User

...

and

...

Admin

...

pages

...

of

...

Drupal,

...

while

...

allowing

...

non-SSL

...

access

...

to

...

other

...

parts

...

of

...

the

...

site.

...


There

...

are

...

some

...

caveats

...

to

...

this

...

configuration.

...

It

...

will

...

not

...

force

...

the

...

user

...

back

...

to

...

non-SSL

...

once

...

the

...

user

...

is

...

redirected

...

to

...

a

...

secure

...

page.

...

However,

...

it

...

does

...

not

...

prevent

...

the

...

user

...

from

...

entering

...

a

...

non-SSL

...

URL

...

in

...

the

...

URL

...

box,

...

so

...

long

...

as

...

that

...

URL

...

is

...

not

...

to

...

the

...

"user"

...

or

...

"admin"

...

paths

...

within

...

Drupal.

...

This

...

has

...

the

...

effect

...

that

...

the

...

connection

...

will

...

automatically

...

become

...

SSL-protected

...

when

...

either

...

of

...

these

...

two

...

sections

...

are

...

accessed,

...

and

...

that

...

the

...

session

...

will

...

tend

...

to

...

remain

...

SSL

...

for

...

the

...

rest

...

of

...

the

...

time

...

the

...

site

...

is

...

used

...

during

...

that

...

session.

...

This

...

causes

...

two

...

possibly

...

negative

...

effects.

...

Firstly,

...

if

...

a

...

user

...

manually

...

changes

...

their

...

URL

...

box

...

entry

...

in

...

their

...

browser

...

to

...

the

...

"http://"

...

equivalent

...

of

...

a

...

location

...

not

...

within

...

the

...

"user"

...

or

...

"admin"

...

spaces,

...

their

...

session

...

will

...

no

...

longer

...

be

...

encypted.

...

Some

...

non-public

...

data

...

could

...

be

...

transferred

...

in

...

cleartext

...

over

...

the

...

browser

...

session.

...

Since

...

the

...

user

...

manually

...

changed

...

the

...

URL

...

box,

...

presumably

...

they

...

understand

...

the

...

risks

...

here

...

and

...

have

...

chosen

...

to

...

accept

...

them.

...

Secondly,

...

if

...

a

...

user

...

logs

...

into

...

Drupal,

...

their

...

session

...

will

...

become

...

SSL-protected,

...

because

...

they

...

access

...

the

...

"user"

...

section

...

to

...

do

...

so.

...

However,

...

if

...

they

...

then

...

close

...

their

...

browser

...

window

...

or

...

browse

...

to

...

another

...

location,

...

then

...

return

...

to

...

the

...

site,

...

their

...

session

...

will

...

no

...

longer

...

be

...

SSL-protected.

...

This

...

is

...

an

...

unintentional

...

instance

...

of

...

the

...

first

...

example

...

above.

...

As

...

above,

...

there

...

is

...

a

...

possibility

...

that

...

some

...

non-public

...

data

...

could

...

be

...

transferred

...

over

...

the

...

wire

...

in

...

cleartext

...

in

...

this

...

scenario.

...

Of

...

course,

...

were

...

the

...

user

...

to

...

then

...

navigate

...

to

...

the

...

"user"

...

or

...

"admin"

...

sections,

...

their

...

session

...

would

...

from

...

that

...

point

...

become

...

encrypted.

...

This

...

scenario

...

involves

...

a

...

user

...

unwittingly

...

making

...

their

...

session

...

insecure.

...

The

...

team(s)

...

or

...

individual(s)

...

managing

...

the

...

site

...

are

...

responsible

...

for

...

considering

...

these

...

risks,

...

as

...

well

...

as

...

the

...

associated

...

consequences,

...

and

...

choosing

...

the

...

appropriate

...

course

...

of

...

action.

...

Here

...

is

...

how

...

to

...

install

...

this

...

configuration,

...

if

...

you

...

choose

...

to

...

continue:

...

In

...

the

...

httpd-vhosts.conf

...

file,

...

configure

...

your

...

port

...

80

...

virtual

...

host

...

as

...

follows:

{
Code Block
}
RewriteEngine On
Redirect /user https://sitename.mit.edu/user
Redirect /admin https://sitename.mit.edu/admin
{code}

Enable

...

"Clean

...

URLs"

...

in

...

the

...

web

...

admin

...

interface

...

of

...

Drupal.

...

Install

...

the

...

"globalredirect"

...

module

...

into

...

the

...

modules

...

directory

...

used

...

for

...

the

...

site

...

you're

...

configuring.

...

For

...

example,

...

if

...

your

...

drupal

...

installation

...

is

...

under

...

/var/www/drupal,

...

then

...

you

...

might

...

use

...

/var/www/drupal/sites/all/modules

...

as

...

the

...

directory

...

to

...

extract

...

the

...

module,

...

so

...

that

...

the

...

module

...

would

...

be

...

located

...

in

...

/var/www/drupal/sites/all/modules/globalredirect,

...

and

...

would

...

be

...

used

...

by

...

all

...

sites.

...

  Here

...

is

...

an

...

example,

...

assuming

...

your

...

module

...

is

...

called

...

"globalredirect.tgz"

...

and

...

is

...

located

...

in

...

/usr/local/src:

{
Code Block
}
cd /var/www/drupal/sites/all/modules
tar -xfvz /usr/local/src/globalredirect.tgz
{code}

Run

...

update.php

...

on

...

the

...

site

...

from

...

a

...

web

...

browser.

...

Enable

...

both

...

the

...

"path"

...

and

...

"globalredirect"

...

modules

...

in

...

the

...

Admin

...

interface

...

of

...

Drupal.

...