SwitchToSSLMode

Note: The recipes here are for PmWiki versions 0.6 and 1.0 only. For PmWiki 2.0 recipes, see Cookbook.


Goal

Force PmWiki to use an HTTPS (SSL-encrypted HTTP) connection or, conversly, force the connection to use an unencrypted HTTP connection.

Solution

Fist, if you're impatient, here are lines to put in a local customization file that will cause PmWiki pages to be delivered over an SSL-encrypted connection:

  
   #  Force to SSL mode.
   $ScriptUrl = str_replace('http:','https:',$ScriptUrl,1);
   $PubDirUrl = str_replace('http:','https:',$PubDirUrl,1);
   if ($_SERVER['SERVER_PORT'] != 443) {
     if (!@$pagename) { header("Location: $ScriptUrl"); 
     } else { Redirect($pagename); }
   }

Now for the full explanation.

By default, PmWiki will happily deliver pages via SSL (HTTPS). This recipe explains how to force PmWiki to switch to HTTPS (or to HTTP). Switching to SSL mode is done in two steps:

  1. Set $ScriptUrl and $PubDirUrl to your secure path to PmWiki.
  2. If a http: URL is requested, redirect to the https: URL.

You can specify secure paths for $ScriptUrl and $PubDirUrl in the ordinary manner.

 
   #  $ScriptUrl is your preferred URL for accessing wiki pages
   #  $PubDirUrl is the URL for the pub directory.
   $ScriptUrl = 'https://your/secure/path/to/pmwiki.php';
   $PubDirUrl = 'https://your/secure/path/to/pub';

Another way to set a secure path for $ScriptUrl and $PubDirUrl is to include the following lines, which change http: URLs to https: URLs.

 
   #  Automatically adjust $ScriptUrl to use HTTPS.
   $ScriptUrl = str_replace('http:','https:',$ScriptUrl,1);
   $PubDirUrl = str_replace('http:','https:',$PubDirUrl,1);

Once $ScriptUrl and $PubDirUrl are configured for SSL, you can redirect incoming http: requests to the equivalent https: URL with these lines:

 
   #  Redirect http: request to https: using PmWiki's
   #  Redirect-to-page function.
   #  Force to SSL mode.
   if ($_SERVER['SERVER_PORT'] != 443) {
     if (!@$pagename) { header("Location: $ScriptUrl"); 
     } else { Redirect($pagename); }
   }

You can also force pages not to be served via SSL by essentially using the recipe in reverse:

  
   #  Force HTTP (non-SSL) mode.
   $ScriptUrl = str_replace('https:','http:',$ScriptUrl,1);
   $PubDirUrl = str_replace('https:','http:',$PubDirUrl,1);
   if ($_SERVER['SERVER_PORT'] != 80) {
     if (!@$pagename) { header("Location: $ScriptUrl"); 
     } else { Redirect($pagename); }
   }

Q & A

Q: How do I use SSL to avoid sending passwords in the clear.

A: This was discussed on the pmwiki-users mailing list ( <#> <#> <#> <#> <#> ). You can use HTTPS-only when editing pages or performing other actions where your password wold be sent in the clear.

 
   #  Switch to SSL mode when password wold be sent in the clear.
   if(   $action=='edit'
      || $action=='post'
      || $action=='postattr'
      || $action=='attr'
      || $action=='upload'
      || $action=='loginadmin' )
   {
      $ScriptUrl = 'https://your/secure/path/to/pmwiki.php';
      $PubDirUrl = 'https://your/secure/path/to/pub';

      if ($_SERVER['SERVER_PORT'] != 443)
      {
        //this will copy all GET request parameters, and fix the problem with empty filename on upload page
        $url = array();
        reset($_GET);
        while(list($name,$value) = each($_GET))
           if(!empty($value))
              $url[$name] = $name."=".urlencode($value);

         Redirect($pagename,'$PageUrl?'.implode("&",$url));
   }

Q: Why directly specify a secure path rather than using str_replace?

A: From a posting by Pm
Note that this is highly server dependent--for example, on my webhosting provider, the SSL version of http://www.pmichaud.com/wiki/PmWiki/PmWiki is [(approve links) edit diff] -- i.e., just changing 'http:' to 'https:' in URLs on my web hosting service isn't sufficient. For this reason I usually just set $ScriptUrl and $PubDirUrl explicitly rather than using str_replace or ereg_replace...

Q: Why not always use SSL?

A: From a posting by Pm
Note also that serving content through SSL can significantly increase server loads. It's often a good idea to use SSL judiciously--to only use SSL on those pages that really need to be protected in transit. This is also why commercial sites such as Amazon don't use SSL for the entire session, but only for those portions where sensitive personal information such as credit card numbers or addresses are being transmitted over the wires.

Discussion

(None yet)

See Also

--

History

(None yet)

Comments & Bugs

(None yet)

Contributors

pmwiki-2.3.38 -- Last modified by {{Viliam Simko}}?

from IP: 85.171.160.186 ip should be disabled by default for security reasons