World: r3wp

No wonder I wasn't seeing the response from my script ...

Anyone see why this doesn't work 

grab-cookie: func [  login-url [url!] username password
    /target web-app-url [url!]
    /local page auth cookie err
][
    if error? set/any 'err try [
        page: open login-url
        cookie: page/locals/headers/set-cookie
        close page
        auth: rejoin [ "login=" username "&pass=" password ]

        page: read/custom login-url compose/deep [ POST (auth) [ cookie: 
        (cookie)]]
        either target [

            page: read/custom web-app-url compose/deep [ GET "" [ cookie: (cookie)]]
            return page
        ][ return cookie  ]
    ][
        mold disarm err
    ]
]   


I can see it sending the cookie after authentication to get a page 
in a web-app, but I get redirected to the login age

I was logged in, otherwise I would have been redirected to the login 
page.. Good that it fixed your issue, did you try solution one, if 
not, could you please? thx

That is just how the google's auth framework works..

Response/redirect returns a code 301 by default (means "Moved Permanently"), 
that may be the cause of the unexpected caching by the browser. Could 
you try using response/redirect/temp instead?

Grab-cookie: does your 'username or 'password values contain any 
special character that would need to be URL-encoded?

no .. I guess I'll have to do a wireshark trace to see why it doesn't 
work.

and ... it's because I'm not doing the captcha challenge :(

response/redirect/temp seems to work .. after I removed the response 
setting changes.

Thanks, that confirms what I was thinking, response/redirect should 
return a 302 by default instead of 301 to avoid browser caching issues.

This is the proposed change to RESPONSE/REDIRECT : 


response/redirect => 303			; HTTP1.1 moved temporary (POST=>303=>GET)

response/redirect/temp => 302		; HTTP1.0 compatible moved temporary

response/redirect/thru => 307		; HTTP1.1 moved temporary with same 
method (POST=>307=>POST)
reponse/redirect/last => 301			; HTTP1.0&1.1 moved permanently


If there's no objections or better propositions for the refinements, 
I'll commit these changes tonight.

SVN update to revision 8 :

	o RSP: response/redirect improve (see above)
		  
	o RSP/CGI: default no caching headers changed to:
	
		Pragma: no-cache

     Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Thank you 8)

a noter (ds les headers poste ds group Cheyenne) le premier redirect 
envoie:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
le deuxieme:
Expires: Wed, 19 Aug 2009 21:43:59 GMT
Cache-Control: private, max-age=0
a noter aussi, le premier envoie aussi:
Content-Type: text/html; charset=UTF-8
mais pas de Content-Length
le deuxieme envoie:
Content-Encoding: gzip
Content-Length: 232
et pas de Content-Type

.. un vrai mess.. normalment j'ai confiance en google, ils sont tres 
peeki mais la je comprends pas

wrong channel..

Is there anything info on net on how to use cheyenne with 3rd party 
ssl app to get https? I googled but didn't find anything.. I found 
Doc mentioning STunnel so I am looking into that

I bought SSL certificate at comodo now, created the csr and waiting 
for it.. It seems pretty simple to setup so far (with stunnel examples)

would be using something like nginx infront of cheyenne to get ssl 
better ? (and also to server the static files directly)

I've tested only with stunnel, but nginx is also a very good option 
if you want to speed-up static files serving.

This is the STunnel example doc for https .. the webmaster at the 
top doesn't recommend it that much ... http://www.stunnel.org/examples/https_windows.html


This shows nginx with separate  ssl usage and also using it as reverse 
proxy (with load balancing also)  http://www.linuxjournal.com/article/10108

SSL

server {
  listen   127.0.0.1:443;
  server_name  secure;
  access_log  /var/log/nginx/secure.access.log;
  error_log  /var/log/nginx/secure.error.log;
  ssl on;
  ssl_certificate /etc/nginx/ssl/server.crt;  
  ssl_certificate_key /etc/nginx/ssl/server.key;  
  location / {
    root   /var/www/secure;
    index  index.html index.htm;
  }
}

LOAD BALACER 
upstream python_servers {
  server 127.0.0.1:8001;
  server 127.0.0.1:8002;
}
server {
  listen   127.0.0.1:8000;
  server_name  proxy;
  access_log  /var/log/nginx/proxy.access.log;
  error_log /var/log/nginx/proxy.error.log;
  location / {
    proxy_pass http://python_servers;
  }
}

--

Both seem logical and if combining ssl + proxy (server part) them 
would work I would get what I need

So far the faster static serving is not so cruicial to me.. I want 
the more reliable and less complicated option .. neither seem very 
complicated from lookign at it

Doc: did you use the stunnel config like it's in that example link 
I gave?

Yes, like the one in section "10. Running the server". You need also 
to block direct access on port 80 for your SSL protected resources. 
There are various way to achieve that like using a local firewall 
to block incoming traffic on port 80 from outside (but not from localhost), 
or in per webapp, using a custom 'on-page-start handler testing the 
server port of the incoming request (and rejecting it if port<>443).

I was thinking of giving users a choice to use or not use http or 
https .. so I would leave both open (if that doesn't mean something 
bad which I don't know)

If the choice is up to the user, then both ports will stay open, 
that should be the easiest way to handle it, AFAICT.

ok, then I will go that way

thanks

How does it work with virtual hosts?  Do you need a certificate for 
each host?

I think you need a certificate per domain (more than one subdomains 
can be handeled by 1 so called wildcard cert.)

I got response from them on my mail with company data.. they couldn't 
validate me yet because I bought the domain on my personal name and 
cert is on company .. I need to change that in whois info (I hope 
it's even possible)

so does stunnel handle multiple certificates?  Anyone know?

Graham, TLS allows for "virtual hosting" so that you can have multiple 
certificates on the same IP address. however, older clients (SSL) 
don't know about that, so in general, it's "one IP address for each 
certificate".

Stunnel can provide both SSL and TLS ... not clear though if it will 
do the job

I got the comodo certificate now .. I got my crt and 4 immediate 
crts and 1 root crt .. got to figure out how to use this with stunnel 
now .. the example shows that you have .pem file

Looks like stunnel supports multiple certificates.

I read here .. I concatenated them together accordingly , now I get 
---

2009.08.23 10:51:23 LOG3[17421:139883801568992]: SSL_CTX_use_RSAPrivateKey_file: 
B080074: error:0B080074:x509 certificate routines:X509_check_private_key:key 
values mismatch

according to this: http://www.aprelium.com/forum/viewtopic.php?p=57622

I concated all these cerst + put private key at the top but it seems 
it doesn't work... anyone knows more about this, should I use just 
one intermeddiate CA or all of them , is the order important?
    *  Root CA Certificate - AddTrustExternalCARoot.crt
    * Intermediate CA Certificate - UTNAddTrustSGCCA.crt
    * Intermediate CA Certificate - ComodoUTNSGCCA.crt

    * Intermediate CA Certificate - ComodoHighAssuranceSecureServerCA.crt
    * Your Comodo InstantSSL Certificate - www_cebelca_biz.crt

I keep getting key values missmatch nomatter what I tried so far... 
I found out this.. the key/cert/CAfile in conf doesn't seem to matter 
as it checks /etc/stunnel/stunnel.pem anyway .. so I commented them 
out. 


If I delete the pem file I get appropriate erros , so it checks for 
this file.. 

If I remove RSA PRIV KEY from first line I get Error saying something 
about RSA KEY no start line

If I remove CA certificates below I det Error saying SSL CERT  no 
start line .. 
If I concat them all like this 


>> cat myserver.key AddTrustExternalCARoot.crt UTNAddTrustSGCCA.crt 
ComodoUTNSGCCA.crt ComodoHighAssuranceSecureServerCA.crt www_cebelca_biz.crt 
>> stunnel.pem 

(first the PRIV KEY ALL THE CERTS in same order as they are listed 
in email to me.. with cebelca.biz.crt as last I get the "key values 
missmatch" which I think means that the priv key and certs don't 
match

I tried using the pem file I can generate on stunnel page and I see 
that it's certs and privkey are half shorter... maybe I don't have 
tre right version type or something of encription setup?

I got it working with that sample pem .. the stupid mistake is that 
if you uncomment it like this 
; [https]
accept  = 443
connect = 80
TIMEOUTclose = 0

instead of like this 

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0


you get some strange errors ... now I need to make those bought certs 
work somehow 

( I WILL WRITE A TUTORIAL ABOUT THIS .. how to setup cheyenne with 
stunnel)

where did my last message go?

(messages are here after restart .. sorry)

I compared the modulus and public exponent of key and cert and they 
are the same, but I saw another thing.. related to "half length" 
of the key that worked.

When stunnel starts it says "Wrote 1024 new random bytes to /root/.rnd" 
.. the certs are 2048 bit .. do you think this the problem could 
be that stunnel expects the 1024 byte cert/key ? (the sample cert/key 
taht worked was 1024 byte)

I use apache2-MPM as a reverse proxy in front of Cheyenne for the 
same reasons (static serving, ssl), works flawlessly, but now is 
time to move to nginx. Looking at MacPorts variants for nginx, there 
are many options that I see interestings:
root/trunk/build alpha% port variants nginx
nginx has the variants:
	dav: Add WebDAV support to server
	flv: Add FLV (Flash Video) streaming support to server
	mail: Add IMAP4/POP3 mail proxy support

 ssl: Add SSL (HTTPS) support to the server, and also to the mail 
 proxy if that is enabled
	status: Add /nginx_status support to the server

 perl5: Add perl support to the server directly within nginx and call 
 perl via SSI
	realip: Using nginx as a backend
	addition: Append text to pages
	substitution: Replace text in pages

 gzip_static: Avoids compressing the same file each time it is requested

 google_perftools: Enable Google Performance Tools profiling for workers

 upload: Enable Valery Kholodkov's upload module (http://grid.net.ru/nginx/upload.en.html)
	universal: Build for multiple architectures

I will try intalling nginx too now... I was trying this with stunnel 
for 3 hours and google all I could think of without much luck.. I 
learned a lot more about certs, that is good

Probably it's soemthign about how I create the pem .. maybe I didn't 
position them right (baceuse I see nothing related to 1024 2048 that 
I suspected)

some benchmarks http://blog.mudy.info/tag/nginx/interesting performances! 
8)