处理HTTPS页面中的HTTP内容 [英] Dealing with HTTP content in HTTPS pages
问题描述
我们有一个完全通过HTTPS访问的网站,但有时会显示外部内容,即HTTP(主要来自RSS Feed的图片)。我们的绝大多数用户也坚持使用IE6。
We have a site which is accessed entirely over HTTPS, but sometimes display external content which is HTTP (images from RSS feeds, mainly). The vast majority of our users are also stuck on IE6.
我最好还是要做以下两项
I would ideally like to do both of the following
- 防止关于不安全内容的IE警告消息(这样我可以显示较少侵入性的内容,例如用下面的默认图标替换图像)
- 向用户展示一些有用的东西,代替他们无法看到的图像;如果有一些JS,我可以找出哪些图像没有被加载,并用我们的图像替换它们,这将是伟大的。
我怀疑第一个目标根本不可能,但第二个目标可能就足够了。
I suspect that the first aim is simply not possible, but the second may be sufficient.
最糟糕的情况是我在解析RSS提要时我们导入它们,抓取图像将它们存储在本地,以便用户可以通过这种方式访问它们,但似乎很难获得相当大的收益。
A worst case scenario is that I parse the RSS feeds when we import them, grab the images store them locally so that the users can access them that way, but it seems like a lot of pain for reasonably little gain.
推荐答案
你最糟糕的情况并不像你想象的那么糟。
Your worst case scenario isn't as bad as you think.
你已经在解析RSS提要,所以你已经拥有了这个图像网址。假设您有一个像 http://otherdomain.com/someimage.jpg 的图片网址。您将此URL重写为 https://mydomain.com/imageserver?url=http://otherdomain.com/someimage.jpg&hash=abcdeafad 。这样,浏览器总是通过https发出请求,所以你摆脱了问题。
You are already parsing the RSS feed, so you already have the image URLs. Say you have an image URL like http://otherdomain.com/someimage.jpg. You rewrite this URL as https://mydomain.com/imageserver?url=http://otherdomain.com/someimage.jpg&hash=abcdeafad. This way, the browser always makes request over https, so you get rid of the problems.
下一部分 - 创建一个执行以下操作的代理页面或servlet -
The next part - create a proxy page or servlet that does the following -
- 从查询字符串中读取url参数,并验证哈希值
- 从中下载图像服务器,并将其代理回浏览器
- (可选)将图像缓存在磁盘上
该解决方案具有一些优点。您无需在创建html时下载图像。您不必在本地存储图像。而且,你是无国籍的; url包含提供图像所需的所有信息。
This solution has some advantages. You don't have to download the image at the time of creating the html. You don't have to store the images locally. Also, you are stateless; the url contains all the information necessary to serve the image.
最后,hash参数用于安全性;您只希望您的servlet为您构建的URL提供图像。因此,在创建URL时,请计算 md5(image_url + secret_key)并将其作为哈希参数附加。在您提供请求之前,请重新计算哈希值并将其与传递给您的哈希值进行比较。由于secret_key只为您所知,因此没有其他人可以构造有效的URL。
Finally, the hash parameter is for security; you only want your servlet to serve images for urls you have constructed. So, when you create the url, compute md5(image_url + secret_key) and append it as the hash parameter. Before you serve the request, recompute the hash and compare it to what was passed to you. Since the secret_key is only known to you, nobody else can construct valid urls.
如果您使用java进行开发,则Servlet只需几行代码。您应该能够在任何其他后端技术上移植以下代码。
If you are developing in java, the Servlet is just a few lines of code. You should be able to port the code below on any other back-end technology.
/*
targetURL is the url you get from RSS feeds
request and response are wrt to the browser
Assumes you have commons-io in your classpath
*/
protected void proxyResponse (String targetURL, HttpServletRequest request,
HttpServletResponse response) throws IOException {
GetMethod get = new GetMethod(targetURL);
get.setFollowRedirects(true);
/*
* Proxy the request headers from the browser to the target server
*/
Enumeration headers = request.getHeaderNames();
while(headers!=null && headers.hasMoreElements())
{
String headerName = (String)headers.nextElement();
String headerValue = request.getHeader(headerName);
if(headerValue != null)
{
get.addRequestHeader(headerName, headerValue);
}
}
/*Make a request to the target server*/
m_httpClient.executeMethod(get);
/*
* Set the status code
*/
response.setStatus(get.getStatusCode());
/*
* proxy the response headers to the browser
*/
Header responseHeaders[] = get.getResponseHeaders();
for(int i=0; i<responseHeaders.length; i++)
{
String headerName = responseHeaders[i].getName();
String headerValue = responseHeaders[i].getValue();
if(headerValue != null)
{
response.addHeader(headerName, headerValue);
}
}
/*
* Proxy the response body to the browser
*/
InputStream in = get.getResponseBodyAsStream();
OutputStream out = response.getOutputStream();
/*
* If the server sends a 204 not-modified response, the InputStream will be null.
*/
if (in !=null) {
IOUtils.copy(in, out);
}
}
这篇关于处理HTTPS页面中的HTTP内容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
