I have a site that does secure credit card transactions on behalf of
merchants. As soon as a cardholder on the merchant site is ready to pay,
the merchant redirects the cardholder to my site, and I pick up payment
details from the cardholder directly over SSL.
When the cardholder is accessing my site, I retrieve certain elements
from the merchant site and present them to the cardholder while he is
completing the purchase on my site. Since the merchants do not pick up
any payment sensitive information, quite a few of them do not have SSL
certificates themselves.
Typically, when the cardholder is on my payment site, I will fetch the
company logo and various other certain elements from the merchant site.
If the merchant site does not have SSL himself, these items will be
fetched using normal http (and not https) requests. In Internet
Explorer, if you are visiting a site using https that refers to img src
links or similar from a non-ssl site (through normal http) the user will
get annoying dialog boxes warning him about this.
To avoid this situation, I allow merchants to "proxy" the non-SSL stuff
through my site, where they actually refer to an local url with a
parameter to where the item can be retrieved from the non-SSL site. My
script will retrieve the page from the http link and return it through a
local https link, which makes the Internet Explorer warnings go away.
The way I am currently doing this is as follows:
I have a handler module which is activated through the following in
httpd.conf:
<Location /proxy>
SetHandler perl-script
PerlHandler Proxy
</Location>
The Proxy.pm module looks as follows:
package Proxy;
use strict;
use warnings;
use Apache::Constants qw (REDIRECT OK);
use LWP::UserAgent;
sub handler {
my $r = shift;
my $ua = new LWP::UserAgent;
$ua->timeout (30);
my $uri = $ENV{REQUEST_URI};
$uri =~ /proxy\?url=(.*)$/;
$uri = $1;
my $request = new HTTP::Request (GET => $uri);
my $response = $ua->request ($request);
if ($response->is_success) {
$r->content_type ($response->headers->header ('Content-type'));
$r->send_http_header;
print $response->content;
} else {
print $response->error_as_HTML;
}
return OK;
}
1;
In short, it takes a request such as
https://my.secure.site/proxy?url=http://from.unsecure.site/someimg.gif
and retrieves the data from the unsecure site and return it through the
secure site at my end.
This works _mostly_ ok, but on what seems like random occations the
httpd process will die (segmentation fault). I can not be sure that the
proxy module is to blame, but I log process id the access log as well
and it seems the last request to be served always seem to be such a
proxy request (my server servers other stuff as well).
Any ideas on why this is so?
Any other ways of accomplishing the same without the added overhead of
my perl module?
Thanks in advance,
Marius Kjeldahl
