RE: SSL site is available

John . Airey Mon, 29 Jan 2001 07:12:05 -0800
It is a massively BAD idea to have a secure directory as a subdirectory of
an insecure one. It's better to have separate document roots. From looking
at your configuration, "order deny,allow" and "allow from all" is missing a
deny line, which should come first. What you are doing by these two lines is
allowing everyone in.

Try removing them, and use "Location" instead of directory in the higher
directory, eg

<LocationMatch "/">
    Order deny,allow
    Deny from all
    Allow from internal.subnet.
    AuthType Basic
    AuthName "Secret site"
    AuthDBUserFile /path/to/dbuserfile
    require valid-user
    satisfy any
</LocationMatch>

Location used as above will match any file in any subdirectory, regardless
of whether they are delivered by SSL or not. 

- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


- 
Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


> -----Original Message-----
> From: Penny Rand [mailto:[EMAIL PROTECTED]]
> Sent: 18 January 2001 02:42
> To: Modssl-Users
> Subject: SSL site is available
> 
> 
> 
> If a user uses the link http://site.com/ssl_site
> 
> they are able to access my "secure site" this in spite of the 
> fact that the
> secure directory requires authentication (that is bypassed too!)
> 
> my configuration includes
> 
> <Directory "/web/empweb">
>         Options Indexes FollowSymlinks
>         AllowOverride AuthConfig
>         order deny,allow
>         allow from all
>         SSLRequireSSL
> </Directory>
> 
> the main directory, web, is the public document root, the 
> empweb requires
> passphrase and is supposed to be served on 443.
> 
> I'm using
> 
> SSLPassPhraseDialog  builtin
> 
> any thoughts or ideas?
> thanks,
> Penny
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
> 
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
RE: SSL site is available

Reply via email to
