Yoshio Imai wrote: | I have also found one possible problem, maybe it's already solved in the
newest version: We have set up the elog under an stunnel, but the elog
server also responds to the original port (i.e. 80), displaying the logbook
selection page and from there even the login screen. Only after logging in
the elog server redirects the client browser to the https-page defined with
the URL-statement of the config file. The whole thing seems like an unwanted
behaviour, but could you change it so that it either doesn't respond on the
wrong URL at all, or at least redirects to the secured URL before presenting
the login window, so that we transfer the passwords encrypted? |
I implemented that in revision 1540. On the logbook selection page, the links to the individual logbooks honor the "URL = ..." statement from the config file, and thus you get redirected via "https://...". More is unfortunately not possible. If elogd gets contacted the first time, it is impossible to figure out by elogd under which URL it got contacted, and therefore it cannot distinguish between secure and insecure connections. The only way is to switch off port 80 by a firewall and only allow "https://..." connections from outside. |