Brad Fitzpatrick (bradfitz) wrote in lj_dev,
Brad Fitzpatrick
bradfitz
lj_dev

SSL, challenge/response -- questions?

I just announced in news our new SSL and challenge/response code:

http://www.livejournal.com/users/news/75379.html

But it was necessarily dumbed down a bit. Some more details:

-- challenge/response was done both to limit SSL load and also so we can do it everywhere eventually (including on comment post pages from journals)

-- the protocol handlers will support challenge/response and Digest auth soon

-- avva is finishing up Digest auth, and we'll probably support it globally on any URL, by adding ?auth=digest, which will override $remote (LJ::get_remote())

Um, I'm forgetting a lot. Any questions?

Update: I remembered what I was going to post after scsi from DeadJournal.com reminded me. How to setup SSL!

$LJ::USE_SSL = 1; # you want the site to promote/use SSL
$LJ::SSLROOT = "https://www.foojournal.com"; # url prefix for secure area
$LJ::SSLDOCS = "/home/foojournal/ssldocs"; # system path to "ssldocs" (like htdocs)


Now, you either do SSL from say mod_perl:

Listen 10.0.0.80:443
<VirtualHost 10.0.0.80:443>
SSLEngine on
SSLCertificateFile /etc/apache/server.crt
SSLCertificateKeyFile /etc/apache/server.key
SSLVerifyClient 0
SSLVerifyDepth 10

ServerName www.lj.com
PerlSetEnv LJHOME /home/lj
PerlRequire /home/lj/cgi-bin/modperl-ssl.pl
</VirtualHost>

Or, what we do, is you have an SSL proxy out in front (BIG-IP, mod_ssl+mod_proxy, Pound, whatever) that does SSL to clients, but speaks plain HTTP to the backend.

But then how does the backend know it's supposed to do the HTTP-thing?

Define a hook, like we do in cgi-bin/ljcom.pl:

LJ::register_hook("ssl_check", sub {
my $r = $_[0]{r};
return
$r->header_in("X-LJ-SSL") ||
($LJ::IS_DEV_SERVER && $r->header_in("Host") eq "secure.$LJ::DOMAIN");
});

It gets a hashref with key 'r' (for the mod_perl $r) and returns a boolean. We look for the X-LJ-SSL header, or a "secure.foo.com" domain name. (for testing)

Now, in cgi-bin/Apache/LiveJournal.pm, the code look to see if that hook returns true, and sets: $LJ::IS_SSL to 1 or 0. So the rest of the code on the site can look at $LJ::IS_SSL.

Er, actually, if you don't do an SSL proxy, you'll need to make your hook above look at something besides the header, like check to see if mod_perl is using SSL directly (but I forget the code for that). Somebody get me a patch and I'll make that part of the core, not requiring a hook.

Anyway, in addition to $LJ::IS_SSL, LiveJournal.pm also fixes up $LJ::IMGPREFIX and $LJ::STATPREFIX to be relative URLs, so all images/javascript also come from SSL and don't invoke browser warnings.

Have fun!
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 11 comments