| Last change
                  on this file since 1552 was
                  1483,
                  checked in by geofft, 16 years ago | 
        
          | __scripts/needcerts: Add support for working around Safari
Safari on Mac OS X (or more properly, CFNetwork and the rest of the SSL
stack) doesn't properly support SSLVerifyClient Optional, which is our
default for :444. In particular, if you don't have an identity
preference set, only SSLVerifyClient Require will trigger the dialog to
set an identity preference and present a certificate to the site:
http://lists.apple.com/archives/apple-cdsa/2009/Apr/msg00041.html
We can work around this by checking for the Safari user-agent in
/__scripts/needcerts and renegotiating SSLVerifyclient Require. Forcing
the Require behavior on Safari users that reach this page is reasonable
because this page is only (supported to be) reached as an ErrorDocument
401; if you're intentionally using AuthOptional on to take advantage of
the optional authentication, you'll never trigger the 401 error. | 
        | File size:
            1.5 KB | 
      
      
        
  | Line |  | 
|---|
| 1 | Alias /__scripts/heartbeat /afs/athena.mit.edu/contrib/scripts/web_scripts/heartbeat | 
|---|
| 2 | Alias /__scripts/django/media /usr/lib/python2.6/site-packages/django/contrib/admin/media | 
|---|
| 3 | Alias /__scripts /afs/athena.mit.edu/contrib/scripts/www | 
|---|
| 4 |  | 
|---|
| 5 | <Directory /afs/athena.mit.edu/contrib/scripts/www> | 
|---|
| 6 | <Files *> | 
|---|
| 7 | SetHandler none | 
|---|
| 8 | </Files> | 
|---|
| 9 | </Directory> | 
|---|
| 10 |  | 
|---|
| 11 | <Directory /usr/lib/python2.6/site-packages/django/contrib/admin/media> | 
|---|
| 12 | <Files *> | 
|---|
| 13 | SetHandler none | 
|---|
| 14 | </Files> | 
|---|
| 15 | </Directory> | 
|---|
| 16 |  | 
|---|
| 17 | <Location /__scripts/needcerts> | 
|---|
| 18 | RewriteEngine On | 
|---|
| 19 |  | 
|---|
| 20 | RewriteCond %{HTTP_HOST} !:444$ | 
|---|
| 21 | RewriteCond %{SERVER_NAME} ^(.*\.)?scripts$ | 
|---|
| 22 | RewriteCond %{THE_REQUEST} ^[^\ ]*\ (.*)\ .* | 
|---|
| 23 | RewriteRule ^ https://%{SERVER_NAME}.mit.edu:444%1 [L,R] | 
|---|
| 24 |  | 
|---|
| 25 | RewriteCond %{HTTP_HOST} !:444$ | 
|---|
| 26 | RewriteCond %{SERVER_NAME} !=scripts-cert.mit.edu | 
|---|
| 27 | RewriteCond %{SERVER_NAME} !=scripts-cert | 
|---|
| 28 | RewriteCond %{THE_REQUEST} ^[^\ ]*\ (.*)\ .* | 
|---|
| 29 | RewriteRule ^ https://%{SERVER_NAME}:444%1 [L,R] | 
|---|
| 30 |  | 
|---|
| 31 | RewriteCond %{HTTP_USER_AGENT} Mac\ OS\ X.*AppleWebKit | 
|---|
| 32 | RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts(.*) /__scripts/safarihack$1 [L] | 
|---|
| 33 |  | 
|---|
| 34 | RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts(.+) $1 [L] | 
|---|
| 35 | RewriteRule /afs/athena.mit.edu/contrib/scripts/www/needcerts /__scripts/unauthorized.html [L] | 
|---|
| 36 | </Location> | 
|---|
| 37 |  | 
|---|
| 38 | <Location /__scripts/safarihack> | 
|---|
| 39 | SSLVerifyClient require | 
|---|
| 40 | RewriteRule /afs/athena.mit.edu/contrib/scripts/www/safarihack(.+) $1 [L] | 
|---|
| 41 | RewriteRule /afs/athena.mit.edu/contrib/scripts/www/safarihack /__scripts/unauthorized.html [L] | 
|---|
| 42 | </Location> | 
|---|
       
      
      Note: See 
TracBrowser
        for help on using the repository browser.