Add SKIP_SSL_REDIRECT directive.

This directive prevents Bricolage from redirecting to and from an SSL URL when
`SSL_ENABLE` is turned on. The case for this is when Bricolage is running
behind a reverse proxy server that's handling SSL mappsings. Thanks to Alex
Krohn for the report.

comp/login/welcome.html

@@ -10,7 +10,7 @@
 <& /widgets/wrappers/table_bottom.mc &>
 <& /widgets/wrappers/footer.mc &>
 <%init>;
-my $url = SSL_ENABLE
+my $url = SSL_ENABLE && !SKIP_SSL_REDIRECT
     ? Bric::Util::ApacheReq->url( ssl => 1, uri => $ARGS{referer} )
     : $ARGS{referer};
 </%init>

conf/bricolage.conf

@@ -1,19 +1,21 @@
-# Apache Settings. HTTPD_VERSION selects which version of Apache
-# to use; by default this is 'apache', which means version 1.3.34 or later,
-# but it can be set to 'apache2' instead for Apache version >= 2.0.55.
-# APACHE_BIN is the location of the Apache server executable,
-# and APACHE_CONF is the location of the Apache configuration file.
-# LISTEN_PORT is the port on which Bricolage will listen for connections. You
-# must also tell Apache to listen on this port in the configuration file
-# specified in APACHE_CONF (using Listen, Port, or BindAddress). SSL_ENABLE
-# defines the type of SSL support available (Off, mod_ssl, apache_ssl).
-# SSL_PORT defines the port on which Bricolage will listen for https
-# server. It defaults to 443. ALWAYS_USE_SSL is disabled if not specified. It
-# forces Bricolage to always use SSL for user connections and does not give
-# the user the option of just using SSL for login. NAME_VHOST is the IP
-# address on which the virtual host name specified in the VHOST_SERVER_NAME
-# directive will respond. If you change the LISTEN_PORT and/or SSL_PORT
-# numbers, remember to also change them in httpd.conf and vice versa.
+# Apache Settings. HTTPD_VERSION selects which version of Apache to use; by
+# default this is 'apache', which means version 1.3.34 or later, but it can be
+# set to 'apache2' instead for Apache version >= 2.0.55. APACHE_BIN is the
+# location of the Apache server executable, and APACHE_CONF is the location of
+# the Apache configuration file. LISTEN_PORT is the port on which Bricolage
+# will listen for connections. You must also tell Apache to listen on this
+# port in the configuration file specified in APACHE_CONF (using Listen, Port,
+# or BindAddress). SSL_ENABLE defines the type of SSL support available (Off,
+# mod_ssl, apache_ssl). SKIP_SSN_REDIRECT tells Bricolage not to get fancy
+# when SSL_ENABLE is true and it's doing a redirect. In such a case, it will
+# redirect without specifying an alternate port. SSL_PORT defines the port on
+# which Bricolage will listen for https server. It defaults to 443.
+# ALWAYS_USE_SSL is disabled if not specified. It forces Bricolage to always
+# use SSL for user connections and does not give the user the option of just
+# using SSL for login. NAME_VHOST is the IP address on which the virtual host
+# name specified in the VHOST_SERVER_NAME directive will respond. If you
+# change the LISTEN_PORT and/or SSL_PORT numbers, remember to also change them
+# in httpd.conf and vice versa.
 
 HTTPD_VERSION           = apache
 APACHE_BIN              = /usr/local/apache/bin/httpd
@@ -22,6 +24,7 @@ LISTEN_PORT             = 80
 SSL_ENABLE              = No
 SSL_PORT                = 443
 ALWAYS_USE_SSL          = No
+SKIP_SSL_REDIRECT       = No
 SSL_CERTIFICATE_KEY_FILE = /usr/local/apache/conf/ssl.key/server.key
 SSL_CERTIFICATE_FILE    = /usr/local/apache/conf/ssl.crt/server.crt
 NAME_VHOST              = *

lib/Bric/Admin.pod

@@ -1595,6 +1595,16 @@ also have to enable B<ALWAYS_USE_SSL> so that recirects will work properly.
 
 =item *
 
+B<SKIP_SSL_REDIRECT:> When SSL is enabled and C<ALWAYS_USE_SSL> is not,
+Bricolage will switch back and forth between SSL and non-SSL connections as
+appropriate. Mostly this means that it uses SSL for pages with password
+information, and non-SSL otherwise. If you don't want Bricolage to do this
+kind of switching, enable C<SKIP_SSL_REDIRECT>. This will be most useful if
+Bricolage lives behind a reverse proxy server that handles the SSL stuff
+itself.
+
+=item *
+
 B<NAME_VHOST:> The IP address on which the virtual host name specified in the
 C<VHOST_SERVER_NAME> directive will respond. Note that the syntax for this
 directive is identical to the syntax for Apache's C<NameVirtualHost> directive.

lib/Bric/App/Callback/Login.pm

@@ -11,7 +11,7 @@ use Bric::App::Session qw(:state :user);
 use Bric::App::Util qw(del_redirect redirect_onload);
 use Bric::Util::Priv::Parts::Const qw(:all);
 
-use Bric::Config qw(LISTEN_PORT);
+use Bric::Config qw(LISTEN_PORT SKIP_SSL_REDIRECT);
 
 my $port = LISTEN_PORT == 80 ? '' : ':' . LISTEN_PORT;
 
@@ -26,9 +26,9 @@ sub login : Callback {
     my $redir = del_redirect() || '';
     $redir = '/' if $redir =~ m|^/login|;
     if ($res) {
-        if ($param->{$self->class_key . '|ssl'}) {
+        if (SKIP_SSL_REDIRECT || $param->{$self->class_key . '|ssl'}) {
             # They want to use SSL. Do a simple redirect.
-            set_state_name($self->class_key, 'ssl');
+            set_state_name($self->class_key, 'ssl') unless SKIP_SSL_REDIRECT;
             $self->redirect($redir);
         } else {
             # Redirect them back to port 80 if not using SSL.

lib/Bric/Changes.pod

@@ -12,6 +12,20 @@ This document lists the Changes to Bricolage introduced with each release.
 
 =head1 Version 2.0.1 ()
 
+=head1 Improvements
+
+=over
+
+=item *
+
+Added C<SKIP_SSL_REDIRECT> F<bricolage.conf> directive. This directive
+prevents Bricolage from redirecting to and from an SSL URL when C<SSL_ENABLE>
+is turned on. The case for this is when Bricolage is running behind a reverse
+proxy server that's handling SSL mappsings. Thanks to Alex Krohn for the
+report. [David]
+
+=back
+
 =head2 Bug Fixes
 
 =over

lib/Bric/Config.pm

@@ -66,6 +66,7 @@ our @EXPORT_OK = qw(DBD_PACKAGE
                     VHOST_SERVER_NAME
                     ALWAYS_USE_SSL
                     SSL_ENABLE
+                    SKIP_SSL_REDIRECT
                     SSL_PORT
                     SSL_CERTIFICATE_FILE
                     SSL_CERTIFICATE_KEY_FILE
@@ -298,6 +299,7 @@ our %EXPORT_TAGS = (all       => \@EXPORT_OK,
                     ssl       => [qw(SSL_ENABLE
                                      SSL_PORT
                                      ALWAYS_USE_SSL
+                                     SKIP_SSL_REDIRECT
                                      LISTEN_PORT)],
                     conf      => [qw(SSL_ENABLE
                                      SSL_CERTIFICATE_FILE
@@ -470,7 +472,7 @@ require Bric; our $VERSION = Bric->VERSION;
                     ENABLE_WYSIWYG AUTOGENERATE_SLUG ENABLE_GZIP
                     MEDIA_UNIQUE_FILENAME LDAP_TLS AUTO_PREVIEW_MEDIA
                     MASON_STATIC_SOURCE ALLOW_URIS_WITHOUT_CATEGORIES
-                    EXPIRE_ON_DEACTIVATE))
+                    EXPIRE_ON_DEACTIVATE SKIP_SSL_REDIRECT))
         {
             my $d = exists $config->{$_} ? lc($config->{$_}) : '0';
             $config->{$_} = $d eq 'on' || $d eq 'yes' || $d eq '1' ? 1 : 0;
@@ -549,6 +551,7 @@ require Bric; our $VERSION = Bric->VERSION;
 
     # ssl Settings.
     use constant SSL_ENABLE              => $config->{SSL_ENABLE};
+    use constant SKIP_SSL_REDIRECT       => $config->{SKIP_SSL_REDIRECT};
     use constant SSL_CERTIFICATE_FILE    =>
       $config->{SSL_CERTIFICATE_FILE} || '';
     use constant SSL_CERTIFICATE_KEY_FILE =>

lib/Bric/Util/ApacheReq.pm

@@ -139,7 +139,7 @@ sub url {
     my %p = @_;
     my $http = 'http';
     my $port;
-    if ( SSL_ENABLE && (ALWAYS_USE_SSL || $p{ssl}) ) {
+    if ( SSL_ENABLE && !SKIP_SSL_REDIRECT && (ALWAYS_USE_SSL || $p{ssl}) ) {
         $http .= 's';
         # Yes string comparisons, because the constants are inlined.
         $port  = SSL_PORT eq '*' || SSL_PORT eq '443' ? '' : ':' . SSL_PORT;