LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   redirecting https web page to http internal website (https://www.linuxquestions.org/questions/linux-server-73/redirecting-https-web-page-to-http-internal-website-606753/)

baboow 12-14-2007 08:59 AM
redirecting https web page to http internal website
 
I have a website that has a login form for employees. This is https. Once they login, a button appears that they click and redirects them to intranet website. This all works when using http.

I've tried to redirect button link to port 80 but that did not work. I get server not found.

I am hoping some of you knowledgeable people could point me in the right direction. Net searches turn up http to https, but nothing going from https to http.

thanks for any help

dkm999 12-15-2007 07:18 PM
When you change protocol, you will need to specify explicitly in your link target that you want the client redirected to http://your.internal.site/somepage.html. Trying to do this via a link of the form your.internal.site/somepage.html:80 will result in the user's browser trying to speak HTTPS over port 80, which is almost certainly not what you want.

As a secondary consideration, I hope you have some (relatively) secure way of passing along the fact that the user has actually signed in successfully; otherwise a user could just point his browser explicitly to the internal website, and connect without ever visiting your login site. Such a mechanism would have to pass along some sort of token that would be accepted by the internal web server as evidence of the login, but which was (extremely) hard for a user to forge.

The only scheme that comes to mind for this is a database on the login server that will verify on each web access request that user foo, represented by encrypted token bar and originating at IP address x.x.x.x , is a legitimate user. The encrypted login token can be passed back and forth between the client's browser and the internal server (and between that server and the login server), provided the encryption covers not only the password, but also the IP of the request and maybe the time of login. This login token can be created by the login server, and passed back to the browser, as well as being stored in the login server's database. That way, an eavesdropper would have a pretty hard time of it even if he obtained the encrypted token, since he would have to break the encryption, substitute his own IP, and re-encrypt before some reasonable timeout (say 15 minutes) had elapsed. Every time the login server is asked to validate a login token, then it should reset the timeout. If it ever receives an invalid token, it should invalidate any saved login data for the IP address from which it originated. You get the idea.

baboow 12-17-2007 08:27 AM
dkm999: thanks for the reply. Sorry it took so long to acknowledge your post. I forgot my password :(.

Yes, I am aware of how to do a redirect but it is still not working. I am in the process of building a dmz and this will fix issues.


thank you again for taking the time to reply and having some substance to your reply. It is greatly appreciated.


All times are GMT -5. The time now is 03:07 AM.