https://issues.apache.org/bugzilla/show_bug.cgi?id=45801
Stefan Fritsch <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |normal --- Comment #5 from Stefan Fritsch <[email protected]> 2012-02-03 09:55:53 UTC --- I think the bug here is that ssl_hook_Access runs as APR_HOOK_MIDDLE while it should run at APR_HOOK_FIRST (or even REALLYFIRST). ssl_hook_Access provides information (in the ssl-access-forbidden request note) that is used later by other hooks if StrictRequire is set. Therefore it is important that ssl_hook_Access is always run. Another example: With this test config: SSLOptions +StrictRequire <Directory /opt/apache22/htdocs/test/strictrequire> AuthBasicProvider file AuthName "strict require test" AuthType basic AuthUserFile conf/users Require user admin Satisfy any Deny from all allow from 10.56.51.0/24 SSLRequire %{HTTP_REFERER} == "foo" </Directory> If I make a request where neither SSLRequire nor the ip restriction is fulfilled, it depends on the load order of mod_ssl and mod_authz_host if I get a "Forbidden" or a "Authorization Required". Different behavior depending on the load order is always a bug, IMHO. SSLRequire and SSLRequireSSL are equivalent with respect to this bug because they are both checked in ssl_hook_Access. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
