On 03/16/2017 09:21 AM, Christian Mack" (christian.m...@uni-konstanz.de)
wrote:
SOGo switches to plain http after login.
No, it does not, if you configured your apache correctly:-)
Well, let's say that it does as it is distributed, and the reason for
that is *really* not obvious.
The SOGo.conf file provided by the vendor includes two lines:
RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e"
env=HTTP_HOST
RequestHeader set "x-webobjects-server-url" "https://%{HTTP_HOST}e"
env=HTTP_HOST
The problem is that HTTP_HOST isn't normally set unless you're using
mod_rewrite for the request. Users probably expect this to work by
default, but it doesn't. You can fix that by setting the variable:
SetEnvIf Host (.*) HTTP_HOST=$1
RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e"
env=HTTP_HOST
RequestHeader set "x-webobjects-server-url" "https://%{HTTP_HOST}e"
env=HTTP_HOST
But really, this *should* be secure by default, and it isn't. I'd think
this should be reported as a bug, and if that's rejected, then refiled
as a request for enhancement. The default behavior is not good.
--
users@sogo.nu
https://inverse.ca/sogo/lists