Apache::ASP definitely works fine under Apache with SSL; we use it
with SSL and without SSL with no problems.
The problem is almost certainly a matter of configuration. I have
found the httpd.conf file to be a bit confusing in that it has a
IfDefine (or similar) section around the SSL definitions and my
Apache::ASP config options were _outside_ that SSL section, therefore
it didn't pick them up.
Here is the section (more or less) from the httpd.conf we use:
## SSL Virtual Host Context
##
<VirtualHost 192.168.0.1:443>
ServerName secure.mysite.com
DocumentRoot /data/secure.mysite.com/public_html
ErrorLog /data/secure.mysite.com/log/error-secure.log
TransferLog /data/secure.mysite.com/log/access-secure.log
SSLCertificateFile /etc/ssl/certs/cert1.txt
SSLCertificateKeyFile /etc/ssl/private/secure.mysite.com.key
SSLEngine on
<Directory /data/secure.mysite.com/public_html/ >
<Files ~ (\.asp)>
SetHandler perl-script
PerlHandler Apache::ASP
PerlSetVar UseStrict 1
#PerlSetVar Debug 1
PerlSetVar Debug 2
# ... normal asp config stuff
</Files>
</Directory>
>I think that can be a security issue that a script that
>it's meant to work using the HTTP protocol can be seen as source code using
HTTPS, even though the debug directive is set correctly.
Debug really isn't the issue here.
If a web server has no extra definition for a file type, the process goes:
- someone requested file "blah.asp"
- Q: does Apache have any special options for .asp files in that
directory under that vhost?
- A: No
- ok, just return the file as-is (ie source)
But with the appropriate options:
- someone requested file "blah.asp"
- Q: does Apache have any special options for .asp files in that
directory under that vhost?
- A: Yes, send it to apache::asp
- ah, ok, sending to asp...
- got output from asp
- returning the ASP output to the caller
Any web server, if incorrectly configured, could potentially return
the source of the file rather than passing it to (say) Apache::ASP
for processing first.
The good news is that once the configuration is going you're set and
don't have to worry about it.
I don't personally like using .htaccess (you used two t's; a typo?)
as I like to see all declarations in a sequence in the one file - my
brain can't handle too many separate files!
Work through the httpd.conf and any .htaccess files and 'parse' it
like Apache would; its a configuration issue for sure
Ellers
>Philip,
>
>Thanks for your input. The virtual server is the same listening on por 80
>and 443 respectively, I've looked at the documentation and I can't find,
>clearly, what directives I need to use. I'm using .httaccess to set the
>namespace options. I'll appreciate any directions about what directives I
>need to use. Still, I think that can be a security issue that a script that
>it's meant to work using the HTTP protocol can be seen as source code using
>HTTPS, even though the debug directive is set correctly.
>
>Thanks for your help!
>
>
>
>--------------------------
>Fernando I. Munoz
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
