RequireTLS for back-end only
Vladas Palubinskas
25 November 2017, 09:26
Is it possible to switch TLS encryption only when needed? Public contents of most websites are not secret nor private. I've registered them in Lets's Encrypt, although left encryption optional by https:// for visitors. I would like to force encryption for publishers (and editors), when they are going to login via back-end of CMS. Perhaps the simplest way would Require TLS to CMS directory (/textpattern/ in my example), but RequireTLS is not valid record in Directory {} configuration. Match ^/textpattern/ RequireTLS in UrlToolkit is invalid, too. Is there another way forcing TLS for back-end only in Hiawatha?
Hugo Leisink
25 November 2017, 22:03
No, the RequiredTLS setting works per virtual host. You could, however, use a separate hostname for the CMS.
Vladas Palubinskas
26 November 2017, 14:17
What the thought! Thank you very much, Hugo. And for your excellent webserver.
I am still curious, is there any theoretical reason to encrypt an entire domain (and thus all the internet).
Hugo Leisink
26 November 2017, 16:17
It's for privacy reason. If I know what images or stylesheets your browser requests, I can possibly find out what website and page you are visiting. Imagine you are visiting a medical website...
Vladas Palubinskas
26 November 2017, 16:40
I ment forcing encryption of every domain by servers, not by its visitors. I have registered all domains in Let's Encrypt, but left the visitor's choice to encrypt or not. I would like to force encryption only for CMS, webmail, and so on, including private medical data.
Vladas Palubinskas
26 November 2017, 17:59
I have registered txp.on.lt as an alias of on.lt and forced encryption to the subdomain for editors of On.lt. Ans also redirected ^/textpattern/ from On.lt to https://txp.on.lt/textpattern/. CMS is accessible only via TLS now, while TLS to public pages are optional, decided by the visitors. Cheers! Of course, that is just an elegant workaround.
Hugo Leisink
26 November 2017, 19:53
The reason is the same: privacy. And of course security. Encryption is very fast these days, specially with AES support by processors. There is almost no reason not to encrypt.
Vladas Palubinskas
28 November 2017, 06:58
Not so obvious for me. What is the private communication? Privacy — no communication (autonomy, personhood leaving alone) or communication between quite familiar persons, e. g. P2P. Nothing private on public network in the era of cookies, Facebook, total government control, monopolisation and centralized servers. For anonymity, there are another means: incognito browsing, anonymizers, and so on. Unnecessary encryption break accessibility and even security by false warnings. content blocking, and other dangerous consequences (let's look at a blocked LE logo on their own website: https://i.imgur.com/oicFTtq.png). I think TLS should remain for identity and security, not for total false privacy.
This topic has been closed.