Am 28.12.2012 01:27, schrieb Robert Moskowitz: > My little bit of testing gives the user a bad experience if they use > http://fqdn/webmail. The ajax error is so > cryptic. I suppose with some digging I can find a way to get it to say, "use > https:// like you were instructed!" > instead. Until I do, I tend towrad a forced redirect to https.
force redirect
> As for security issues for my site? What, yet another DOS attack with TLS
> costs to any robo that hits on my
> webmail url?
if you are CPU bound because TLS and a robot you have
other problems like too slow hardware, these days and
with intel AES-NI it costs zero
> My expertise is in designing security protocols, not impact of force using
> them. ;)
>
>> it does not if it is done right
>>
>> <Directory "roundcube-dir">
>> php_admin_flag session.cookie_secure "1"
>> </Directory>
>>
>> this makes sure that there will NEVER a client send the
>> session cookie unencrypted, if you get a external security
>> audit and do not use tis setting for https sites you
>> will get warned by the auditor and if not he did not make
>> his job!
>
> Perhaps I am implementing this wrong on my server. My roundcubemail.conf has
>
> <Directory /usr/share/roundcubemail/>
> Order Deny,Allow
> Allow from all
> </Directory>
>
> Am I suppose to put your <Directory "roundcube-dir"> ...
> after this entry or the php_admin_flag in the one I have?
jesus christ put it in your <Directory /usr/share/roundcubemail/>
don't get me wrong but it should be pretty clear for anybody
that <Directory "roundcube-dir"> is a example for mod_php basics
> What do you use for force_https and use_https?
some lines of code in any php-file like configuration-includes
which is always loaded, make sure it is included BEFORE any
output starts because http-headers can not be pushed after
output of http-body started
if(PHP_SAPI != 'cli' && empty($_SERVER['HTTPS']))
{
header($_SERVER['SERVER_PROTOCOL'] . ' 301 Moved Permanently', true, 301);
exit(header('Location: https://yourhostname/your-install-dir/', true, 301));
}
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
