From 07eae0ce4d927851a839cf50d5cb9b7a06b979a2 Mon Sep 17 00:00:00 2001
From: Evan Prodromou <evan@controlyourself.ca>
Date: Thu, 26 Mar 2009 15:03:59 -0400
Subject: Support SSL for some, all, or no pages

Support SSL URLs either for all pages; no pages; or for sensitive
pages accepting passwords, like login, registration, API, and others.
---
 README            | 10 ++++++++++
 config.php.sample | 10 ++++++++++
 lib/common.php    |  2 ++
 lib/util.php      | 31 ++++++++++++++++++++++++++-----
 4 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/README b/README
index 7feb7d90b..62f4f1863 100644
--- a/README
+++ b/README
@@ -925,6 +925,16 @@ dupelimit: Time in which it's not OK for the same person to post the
            same notice; default = 60 seconds.
 logo: URL of an image file to use as the logo for the site. Overrides
       the logo in the theme, if any.
+ssl: Whether to use SSL and https:// URLs for some or all pages.
+     Possible values are 'always' (use it for all pages), 'never'
+     (don't use it for any pages), or 'sometimes' (use it for
+     sensitive pages that include passwords like login and registration,
+     but not for regular pages). Default to 'never'.
+sslserver: use an alternate server name for SSL URLs, like
+           'secure.example.org'. You should be careful to set cookie
+           parameters correctly so that both the SSL server and the
+           "normal" server can access the session cookie and
+           preferably other cookies as well.
 
 db
 --
diff --git a/config.php.sample b/config.php.sample
index 529e86f15..d62a54fe7 100644
--- a/config.php.sample
+++ b/config.php.sample
@@ -174,3 +174,13 @@ $config['sphinx']['port'] = 3312;
 #http://taguri.org/ Examples:
 #$config['integration']['taguri'] = 'example.net,2008';
 #$config['integration']['taguri'] = 'admin@example.net,2009-03-09'
+
+#Don't use SSL
+#$config['site']['ssl'] = 'never';
+#Use SSL only for sensitive pages (like login, password change)
+#$config['site']['ssl'] = 'sometimes';
+#Use SSL for all pages
+#$config['site']['ssl'] = 'always';
+
+#Use a different hostname for SSL-encrypted pages
+#$config['site']['sslserver'] = 'secure.example.org';
diff --git a/lib/common.php b/lib/common.php
index 1ca9e521b..d9d0ab277 100644
--- a/lib/common.php
+++ b/lib/common.php
@@ -87,6 +87,8 @@ $config =
               'closed' => false,
               'inviteonly' => false,
               'private' => false,
+              'ssl' => 'never',
+              'sslserver' => null,
               'dupelimit' => 60), # default for same person saying the same thing
         'syslog' =>
         array('appname' => 'laconica', # for syslog
diff --git a/lib/util.php b/lib/util.php
index a43666fa5..0a1137a77 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -713,25 +713,46 @@ function common_relative_profile($sender, $nickname, $dt=null)
 
 function common_local_url($action, $args=null, $params=null, $fragment=null)
 {
+    static $sensitive = array('login', 'register', 'passwordsettings',
+                              'twittersettings', 'finishopenidlogin',
+                              'api');
+
     $r = Router::get();
     $path = $r->build($action, $args, $params, $fragment);
 
+    $ssl = in_array($action, $sensitive);
+
     if (common_config('site','fancy')) {
-        $url = common_path(mb_substr($path, 1));
+        $url = common_path(mb_substr($path, 1), $ssl);
     } else {
         if (mb_strpos($path, '/index.php') === 0) {
-            $url = common_path(mb_substr($path, 1));
+            $url = common_path(mb_substr($path, 1), $ssl);
         } else {
-            $url = common_path('index.php'.$path);
+            $url = common_path('index.php'.$path, $ssl);
         }
     }
     return $url;
 }
 
-function common_path($relative)
+function common_path($relative, $ssl=false)
 {
     $pathpart = (common_config('site', 'path')) ? common_config('site', 'path')."/" : '';
-    return "http://".common_config('site', 'server').'/'.$pathpart.$relative;
+
+    if (($ssl && (common_config('site', 'ssl') === 'sometimes'))
+        || common_config('site', 'ssl') === 'always') {
+        $proto = 'https';
+        if (is_string(common_config('site', 'sslserver')) &&
+            mb_strlen(common_config('site', 'sslserver')) > 0) {
+            $serverpart = common_config('site', 'sslserver');
+        } else {
+            $serverpart = common_config('site', 'server');
+        }
+    } else {
+        $proto = 'http';
+        $serverpart = common_config('site', 'server');
+    }
+
+    return $proto.'://'.$serverpart.'/'.$pathpart.$relative;
 }
 
 function common_date_string($dt)
-- 
cgit v1.2.3-54-g00ecf