On Wed, Jul 14, 1999, [EMAIL PROTECTED] wrote:
> I'm new to mod_ssl, and I have a question regarding the use of SSLRequire.
> I am using Apache 1.3.6, mod_ssl 2.3.5, and PHP 3.0.8 on Redhat Linux 6.0.
>
> I have looked through the manual, FAQ, the Howto, and tried searching
> through the mailing list archives but I haven't found a solution. I have a
> protected section on my website caled /protected. For local Intranet
> address, I would like to be able to get access using normal HTTP. For
> Internet requests, HTTPS must be used. In effect, I would like:
>
> <Directory "/home/httpd/htdocs/protected">
> If REMOTE_ADDR =~ 192.168.0.*
> then Allow
> else SSLRequireSSL
> </Directory>
>
> Looking at the example httpd.conf, I came up with this:
>
> <Directory "/home/httpd/htdocs/protected">
> SSLRequire %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
> or %{REMOTE_ADDR} =~ m/^192\.168\.0\.[0-9]{1,3}$/
> </Directory>
>
> It doesn't work, as anyone can get access using http://myhost/protected.
> Does anyone have any ideas, or can point me to some more reading.
Yes, SSLRequire is only used in SSL contexts, i.e. when SSL is enabled. But
you don't want this, of course. There are more than one possibility for you,
I think. You can try Apache's "Satisfy" with "deny"/"allow" plus
"SSLRequire". You can use a RewriteRule to do the blocking according to
REMOTE_ADDR, etc. I've currently less time to make a real decision which
solution would be best (I think the "Satisfy" solution should be it), so
please try to investigate yourself a little bit. When someone already known a
good solution let it me know: I'll send add it to the HowTo chapter of
mod_ssl's user manual.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
