htdig: Word-around to https problems....


Juha Ylitalo (jylitalo@gamgee.ntc.nokia.com)
Mon, 6 Jul 1998 09:13:36 +0300 (EETDST)


-----BEGIN PGP SIGNED MESSAGE-----

I am not sure, how much there is interest for this, but here is one way to
get around https problems and do minor security improvement to ht://Dig.
This plan is built on idea that you are indexing local site, you handle
all http -> https transfers with redirects (and there are lot of good
reasons, why that is only good way to do it...) and you are running your
www server in 3 ports (80 for http, 443 for https and 9090 for ht://Dig).

We have build two simple wrappers for ht://Dig. One is Perl script that
first creates company confidential index database running normally in port
80. After it has done its job, we create artificial account (username:
htdig${PID} and password:${atime from one file}${PID}) and start ht://Dig
so that it runs on port 9090 using that artificial account. This way it
doesn't have to do SSL (since redirects to SSL are placed only for port
80) and at the sametime, it doesn't compromise security, because
username:password pair never leaves the host.

After this, we have to have someway to get rid of those references to port
9090. You might want to do it with small cron job that does the cleaning
from databse, but I decided to bundle it with our second wrapper.

Our second wrapper is Java servlet, which only job is to guarantee that
users don't search from confidential database without authentication. In
normal ht://Dig, all that it would take from normal user to use
confidential database is to know its name. My Java servlet takes the http
request, gets all other arguments from request as they are except config
parameter, which value is asked from servlet properties. When we get
results from htsearch, which we call from servlet, we cut all ":9090" text
strings from output.

This way if one wishes to search company confidential database, he uses
/servlet/publicsearch and if he wishes to use confidential database, he
uses /servlet/privsearch and authenticates himself as all good users.

 --
Juha Ylitalo Juha.O.Ylitalo@ntc.nokia.com <work e-mail>
Hiomo 5/1/Maisema http://wwwinhel.ntc.nokia.com/~jylitalo <work www>
+358 9 511 23313 http://www.iki.fi/~jylitalo <public www>
      Both WWW locations have pgp.html file for public PGP keys.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNaBrFn0Uf7d7m5h1AQHENwP9Fx3xh+Nx6vqSboYyrEItElXPrV42Ztou
6yNHXLHO1XiwIKxEQHgz1/Sq1ZU35Gdfgy5zhNPqK6RU21wJlET0Or5kAemg2YqN
6dUv+k0BJ+/uHGD9RPcd6dtbMPfJcUZIybXwh28ohxOrH9SSO9h9bCnbLMqe+cQJ
juayx7yljGM=
=eYmy
-----END PGP SIGNATURE-----

----------------------------------------------------------------------
To unsubscribe from the htdig mailing list, send a message to
htdig-request@sdsu.edu containing the single word "unsubscribe" in
the body of the message.



This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:26:51 PST