Hi guys, I'm having real trouble figuring out how to do this.

I've got a wiki running ikiwiki and I'd like to get the log-in/editing
portion out of clear text. the obvious thing seems to be to use SSL,
but I don't want to ssl the whole site, just the part accessed through
the cgi scripts that take logins and edit stuff. Can someone give me
some pointers?

I've tried using mod_rewrite to point all cgi-bin/ URIs to
https://blah/cgi-bin/ but that only partially works as the complete
urls generated within that don't work properly. Maybe i'm missing
something there.

I cannot just put ssl directives into a <Directory> stanza as that
fails right out.

thanks

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGt3/LaIeIEqwil4YRAj21AKCQPbfMPZV4bHw8kua+ILuBnUMQsQCgk Y+f
TOOCZIs4EaGxDUYhPv7yj20=
=UQXJ
-----END PGP SIGNATURE-----

On Mon, Aug 06, 2007 at 01:08:43PM -0700, Andrew Sackville-West wrote:
> Hi guys, I'm having real trouble figuring out how to do this.
>
> I've got a wiki running ikiwiki and I'd like to get the log-in/editing
> portion out of clear text. the obvious thing seems to be to use SSL,
> but I don't want to ssl the whole site, just the part accessed through
> the cgi scripts that take logins and edit stuff. Can someone give me
> some pointers?

I've also used, with success, mod_auth_digest, which I believe gets me
secure access to the cgi-bin/ but does not actually log me in to
ikiwiki so that changelogs only show an ip address, not a user. bleh.

somewhere there is some magic incantation to get me secured when
accessing the cgi scripts and open otherwise.

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGt4wraIeIEqwil4YRAvclAJ9b4UxzVVh1lebytKHaNO vHgTnnkwCgxu/S
MvwFzldQMcny28RHIuElNGw=
=lxoV
-----END PGP SIGNATURE-----

Andrew Sackville-West wrote:
> On Mon, Aug 06, 2007 at 01:08:43PM -0700, Andrew Sackville-West wrote:
>
>> Hi guys, I'm having real trouble figuring out how to do this.
>>
>> I've got a wiki running ikiwiki and I'd like to get the log-in/editing
>> portion out of clear text. the obvious thing seems to be to use SSL,
>> but I don't want to ssl the whole site, just the part accessed through
>> the cgi scripts that take logins and edit stuff. Can someone give me
>> some pointers?
>>
>
> I've also used, with success, mod_auth_digest, which I believe gets me
> secure access to the cgi-bin/ but does not actually log me in to
> ikiwiki so that changelogs only show an ip address, not a user. bleh.
>
> somewhere there is some magic incantation to get me secured when
> accessing the cgi scripts and open otherwise.
>
> A
>

There is a pretty good newbie walk through at the ubuntu forum:
http://ubuntuforums.org/showthread.php?t=4466

Sam

On Mon, Aug 06, 2007 at 04:12:48PM -0500, Sam Leon wrote:
>
>
> Andrew Sackville-West wrote:
>> On Mon, Aug 06, 2007 at 01:08:43PM -0700, Andrew Sackville-West wrote:
>>
>>> Hi guys, I'm having real trouble figuring out how to do this.
>>> I've got a wiki running ikiwiki and I'd like to get the log-in/editing
>>> portion out of clear text. the obvious thing seems to be to use SSL,
>>> but I don't want to ssl the whole site, just the part accessed through
>>> the cgi scripts that take logins and edit stuff. Can someone give me
>>> some pointers?
>>
>> I've also used, with success, mod_auth_digest, which I believe gets me
>> secure access to the cgi-bin/ but does not actually log me in to
>> ikiwiki so that changelogs only show an ip address, not a user. bleh.
>>
>> somewhere there is some magic incantation to get me secured when
>> accessing the cgi scripts and open otherwise.
>>
>> A
>>
>
> There is a pretty good newbie walk through at the ubuntu forum:
> http://ubuntuforums.org/showthread.php?t=4466

<shudder> wading through those can be tough, but it got me some useful
information. mostly that my rewrite looks to be proper, and in fact it
does work to a point.

Once i navigate to the cgi script, it redirects to
https://site.org/ikiwiki.cgi...., and presents me with the login
screen, but after entering correct information and clicking "login" it
returns an error page 'Error: "do" parameter missing' so something is
lost in the translation there...

more research...

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGt6FSaIeIEqwil4YRAqSZAJ46Kn1zIcKy5hdwdTmCmY wZZe1+xgCgytpl
//xdUIazR/T+7h1PX9zW0Ig=
=IkPj
-----END PGP SIGNATURE-----

On Mon, Aug 06, 2007 at 03:31:47PM -0700, Andrew Sackville-West wrote:
> On Mon, Aug 06, 2007 at 04:12:48PM -0500, Sam Leon wrote:
> >
> >
> > Andrew Sackville-West wrote:
> >> On Mon, Aug 06, 2007 at 01:08:43PM -0700, Andrew Sackville-West wrote:
> >>
> >>> Hi guys, I'm having real trouble figuring out how to do this.
> >>> I've got a wiki running ikiwiki and I'd like to get the log-in/editing
> >>> portion out of clear text. the obvious thing seems to be to use SSL,
> >>> but I don't want to ssl the whole site, just the part accessed through
> >>> the cgi scripts that take logins and edit stuff. Can someone give me
> >>> some pointers?
> >
> > There is a pretty good newbie walk through at the ubuntu forum:
> > http://ubuntuforums.org/showthread.php?t=4466
>
> <shudder> wading through those can be tough, but it got me some useful
> information. mostly that my rewrite looks to be proper, and in fact it
> does work to a point.
>
> Once i navigate to the cgi script, it redirects to
> https://site.org/ikiwiki.cgi...., and presents me with the login
> screen, but after entering correct information and clicking "login" it
> returns an error page 'Error: "do" parameter missing' so something is
> lost in the translation there...
>

problem restated: ikiwiki includes a login system, but that puts
passwords in clear text. This is a problem when on public networks,
especially wireless.

solution: don't mess with mod-rewrite or anything like that. create
two stanzas in your httpd.conf by whatever method you use. 1) stanza

<VirtualHost *:80>...

and one

<VirtualHost *:443>...

set up the cgi stuff in the second stanza.

then reconfigure the ikiwiki.setup file:

url => "http://example.com/path/to/wiki"
cgiurl => "https://example.com/path/to/wiki/ikiwiki.cgi"

reubild the wiki and you're done.

that looks to me to be the best way to use SSL with ikiwiki.

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGt6OvaIeIEqwil4YRAtmPAJ9dQDWNdXJbA3P/5oBCQUMk5BczRwCeLafX
iyC56atRY+U4RaTraGUSQ20=
=/DtR
-----END PGP SIGNATURE-----

On Mon, Aug 06, 2007 at 03:41:52PM -0700, Andrew Sackville-West wrote:

> that looks to me to be the best way to use SSL with ikiwiki.

The debian AND upstream maintainer is Joey Hess. I think he might be
interested in documenting your solution.

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGt/D/qJyztHCFm9kRAi8GAJoDZAZ9u+NDpLwoQ0+lthY6/lgPzQCeO6T6
P9HQOo5swEh1dndmZadfOr8=
=NKv2
-----END PGP SIGNATURE-----

On Tue, Aug 07, 2007 at 07:11:43AM +0300, Andrei Popescu wrote:
> On Mon, Aug 06, 2007 at 03:41:52PM -0700, Andrew Sackville-West wrote:
>
> > that looks to me to be the best way to use SSL with ikiwiki.
>
> The debian AND upstream maintainer is Joey Hess. I think he might be
> interested in documenting your solution.


yeah. I get the feeling that its one of those things one is "supposed"
to know... But I'll pass it on anyway. It was not a simple thing to
figure out, though it was simple to do once figured.

A



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGuC+raIeIEqwil4YRAs0bAJ40dYOiY+O/NlHq859+D04ava/tnACgrW0t
FiyPlC3DEgEdpOq6jB4E0ug=
=boN8
-----END PGP SIGNATURE-----