Changes between Version 6 and Version 7 of PermRedirectPlugin


Ignore:
Timestamp:
Nov 20, 2012 3:59:54 PM (21 months ago)
Author:
ejucovy
Comment:

note about apache NE

Legend:

Unmodified
Added
Removed
Modified
  • PermRedirectPlugin

    v6 v7  
    1212These features are independent of one another -- you can install the plugin to provide either feature, or both. 
    1313 
    14 == Bugs/Feature Requests ==  
    15  
    16 Existing bugs and feature requests for PermRedirectPlugin are  
    17 [report:9?COMPONENT=PermRedirectPlugin here]. 
    18  
    19 If you have any issues, create a  
    20 [http://trac-hacks.org/newticket?component=PermRedirectPlugin&owner=ejucovy new ticket]. 
    21  
    22 == Download == 
    23  
    24 Download the zipped source from [download:permredirectplugin here]. 
    25  
    26 == Source == 
    27  
    28 You can check out PermRedirectPlugin from [http://trac-hacks.org/svn/permredirectplugin here] using Subversion, or [source:permredirectplugin browse the source] with Trac. 
    29  
    30 == Example == 
     14== Usage == 
    3115 
    3216To enable: 
     
    5438}}} 
    5539 
     40== HTTPS Only == 
     41 
     42The plugin provides a feature to ensure that all requests to the login page occur over HTTPS, which can be enabled per the "usage" section above.  This will intercept all requests to http://hostname.com/login and redirect them to https://hostname.com/login instead.  In order for this feature to work, you must configure your web server to accept HTTPS requests on port 443.  This feature will only work if your web server is serving HTTP requests on port 80 and HTTPS requests on port 443; no other configurations are currently supported.  Also, '''this feature should only be enabled if you are using AccountManager to handle login.'''  If your site's login occurs in the web server (e.g. Apache authentication) then this feature will not be able to secure your login handler. 
     43 
     44It is also possible to implement a similar feature without this plugin at all, using RewriteRules in your Apache configuration.  This alternative approach must be used if you are handling login through the Apache web server.  Your Apache configuration would include lines like: 
     45{{{ 
     46# Redirect all login pages to https 
     47RewriteCond %{HTTPS} off 
     48RewriteRule ^/([^/]+)/login$ https://%{HTTP_HOST}:443/$1/login [L, NE] 
     49}}} 
     50 
     51For more details, see the various example configurations posted in comments at http://trac.edgewall.org/ticket/4733 
     52 
     53== Frequently Asked Questions == 
     54 
     55 * After logging in, Trac always loads the home page, instead of the page the user came from.  On the login page, the `?referer` query string is double-quoted (double-encoded), and looks like `?referer=http%253A%252F%252Fthe_host%252Fthe_project%252Ftimeline` (with the "%" in "%3A" re-quoted to create "%253A") instead of `?http%3A%2F%2Fthe_host%2Fthe_project%252Ftimeline`. 
     56 
     57This is caused by a faulty Apache configuration.  You are probably using a `RewriteRule` to redirect login over HTTPS.  You must use the `[NE]` (no-escape) flag on your `RewriteRule` to prevent double-quoting.  For more information, see http://trac-hacks.org/ticket/2210#comment:36 
     58 
     59== Bugs/Feature Requests ==  
     60 
     61Existing bugs and feature requests for PermRedirectPlugin are  
     62[report:9?COMPONENT=PermRedirectPlugin here]. 
     63 
     64If you have any issues, create a  
     65[http://trac-hacks.org/newticket?component=PermRedirectPlugin&owner=ejucovy new ticket]. 
     66 
     67== Download == 
     68 
     69Download the zipped source from [download:permredirectplugin here]. 
     70 
     71== Source == 
     72 
     73You can check out PermRedirectPlugin from [http://trac-hacks.org/svn/permredirectplugin here] using Subversion, or [source:permredirectplugin browse the source] with Trac. 
     74 
    5675== Recent Changes == 
    5776