[mythtv-users] MythWeb over HTTPS using mod_rewrite

Ronald Frazier ron at ronfrazier.net
Sat May 26 17:09:55 UTC 2012 

On Fri, May 25, 2012 at 5:01 PM, Joe Nyland <joe at joenyland.co.uk> wrote:
>> On my system, HTTPS works fine with mythweb. I never get any warnings that
>> an HTTPS page is loading resources from HTTP, and looking at the firebug Net
>> tab, all of the request being sent remain HTTPS. I'm thinking your problem
>> may be something else.
>
> Are you using mod_rewrite to force HTTPS, or is MythWeb actually running on
> HTTPS?

No, I'm not using mod_rewrite, but I think that's really irrelevant.
mod_rewrite can't "force" HTTPS. HTTPS is an end to end encryption,
which means it can't just be switched into HTTPS mode. You have to
start the request all over, with the client initiating the HTTPS
session. So all mod_rewrite can really do is tell the browser "hey,
start again, but use HTTPS this time". From then on, it should behave
exactly the same as if HTTPS was explicitly requested.

I really suspect there's something else at play here, and that the
mod_rewrite has nothing to do with your problem. What happens if you
disable all of your mod_rewrite settings and then just make sure you
type https:// in your browser? Does that work right? If not, then
something else is configured incorrectly. Perhaps your proxy isn't
properly handling the https stuff. Not sure how to figure that out...I
understand the basic concepts of proxy/reverse proxy, but I have zero
experience actually working with one.


>> Does your proxy work propery with form.
>
> As far as I know, yes. I don't have any issues with forms in any of the
> other sites I run through reverse_proxy.
>
>> Looking at it now, I see that the Listing's time box uses a POST rather
>> than a GET. If you go to the Upcoming Recordings page, does the boxes at the
>> top (for filtering what recordings to display) work properly?
>
> Unfortunately not - I see the same behaviour, no matter what I use to change
> the time frame that I'm viewing on the listings page.

Well, those both use POST requests, so perhaps those aren't being
handled properly. Either that, or I noticed that the time field you
originally noticed the problem with is submitted via ajax (using
XMLHttpRequest), so perhaps those requests aren't working right. I
know from experience ajax can be problematic with things like
cross-site-scripting (XSS), and maybe because of the proxying, it
might be possible that those requests appear to be XSS to the browser
(not sure, just a wild guess). I believe that when you are on the
listings page and you hover the mouse over a show to see the details
tooltip, I think those are done via ajax, too. Do those tooltips work
properly?


-- 
Ron Frazier

More information about the mythtv-users mailing list