1

I've got a server with Varnish in front of Apache in front of Drupal.

What I'd like to do is redirect my login form to https (easy enough), then redirect all logged-in (authenticated) users to https all the time, while having anonymous visitors redirected to http all the time (for performance reasons).

I don't want authenticated users to have a mixed-mode experience if they click on an absolute link to http://mysite.com/some/page -> so that's the reason for always redirecting authenticated users to https if protocol is not https.

Is it possible to do something like this using some combination of Varnish + Apache configuration? Or is the only solution here to go https all the time for all visitors (which is an unnecessary performance hit for all those anonymous visitors).

For point of reference, I'm using a Varnish vcl based on this default Drupal-sensitive example provided by Four Kitchens: https://fourkitchens.atlassian.net/wiki/display/TECH/Configure+Varnish+3+for+Drupal+7

Jordan Magnuson
  • 187
  • 1
  • 2
  • 9
  • 1
    Don't do this. Send _everyone_ to https. There should be no significant performance difference unless you're using truly _ancient_ hardware. – Michael Hampton Mar 29 '14 at 21:28
  • @MichaelHampton http://stackoverflow.com/questions/149274/http-vs-https-performance seems to indicate that the performance difference may not be negligible... All things being equal, my thought is that there's no reason to send anonymous traffic to https... encrypting that anonymous data transfer will always be a waste... but the work-arounds necessary to implement what I'm after may not be worth the performance difference... benchmarking is obviously indicated... – Jordan Magnuson Mar 31 '14 at 22:37
  • @MichaelHampton Of course I do appreciate the recommendation. When you say "don't do this," though, could you provide some specific support for why not? – Jordan Magnuson Mar 31 '14 at 22:39
  • That SO post is very outdated. Some of the more recent comments on the answers do update it a bit. As for my explanation, someone already beat me to it. – Michael Hampton Mar 31 '14 at 22:40

1 Answers1

1

What you are trying to do is very difficult to get right. If you make a mistake in when you use http and when you use https, you could open up numerous security problems.

My recommendation would be to configure one http vserver in apache, which redirects to the same https URL and does nothing else. It doesn't even have to figure out if the URL exists or not, it just redirects all the time. Then have another https vserver, which has the real content of the site.

Remember to mark all cookies as secure, such that you don't leak cookies on http connections.

If you do insist on responding over http for users, who are not logged in. Then you are going to need one insecure cookie, which tells if the user is logged in or not. Don't put any data into this cookie, just store if the user is logged in or not. You could use 0 or 1 as the stored value. Or you could use a constant value, in which case existence of the cookie means the user is logged in, and absence means the user is not logged in.

On the http side you then redirect to https if either of these two criteria is satisfied. There is a cookie indicating the user is logged in or the request URI requires login. When the https request is received you will have to do additional checks to validate that the user is really logged in. For this purpose you use a secure cookie, which cannot be guessed by an outsider. If the user is found not to be logged in, you redirect back to http, if the URL does not require login, and at this stage you instruct the browser to delete the insecure cookie, which incorrectly indicated the user was logged in.

It is highly important you ensure those redirects are not cached. You do absolutely not want a browser to cache both redirects from the http version of a URL to the https version and vice-versa.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • Hm... it seems, then that it may well be worth sending everyone to https all the time to avoid the complexities of this solution. My thought was simply that, all things being equal, there is never any reason to send anonymous traffic to https... just seems like a waste (and involves its own complications in terms of maximizing performance). Will run some benchmarks next thing... – Jordan Magnuson Mar 31 '14 at 22:41
  • A mitm attack against anonymous http traffic could modify the content being served to your users. Even for anonymous traffic the use of https may be worthwhile for the added data integrity. – kasperd Mar 31 '14 at 23:29