Am 28.12.2012 01:27, schrieb Robert Moskowitz:
My little bit of testing gives the user a bad experience if they use http://fqdn/webmail. The ajax error is so cryptic. I suppose with some digging I can find a way to get it to say, "use https:// like you were instructed!" instead. Until I do, I tend towrad a forced redirect to https.
force redirect
As for security issues for my site? What, yet another DOS attack with TLS costs to any robo that hits on my webmail url?
if you are CPU bound because TLS and a robot you have other problems like too slow hardware, these days and with intel AES-NI it costs zero
My expertise is in designing security protocols, not impact of force using them. ;)
it does not if it is done right
<Directory "roundcube-dir"> php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the session cookie unencrypted, if you get a external security audit and do not use tis setting for https sites you will get warned by the auditor and if not he did not make his job!
Perhaps I am implementing this wrong on my server. My roundcubemail.conf has
<Directory /usr/share/roundcubemail/> Order Deny,Allow Allow from all
</Directory>
Am I suppose to put your <Directory "roundcube-dir"> ... after this entry or the php_admin_flag in the one I have?
jesus christ put it in your <Directory /usr/share/roundcubemail/> don't get me wrong but it should be pretty clear for anybody that <Directory "roundcube-dir"> is a example for mod_php basics
What do you use for force_https and use_https?
some lines of code in any php-file like configuration-includes which is always loaded, make sure it is included BEFORE any output starts because http-headers can not be pushed after output of http-body started
if(PHP_SAPI != 'cli' && empty($_SERVER['HTTPS'])) { header($_SERVER['SERVER_PROTOCOL'] . ' 301 Moved Permanently', true, 301); exit(header('Location: https://yourhostname/your-install-dir/', true, 301)); }