On 12 February 2001 17:35, [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] wrote:
> The switch is by appending https to your links instead of http. If you
> want, you can give both web servers the same document root. Haven't
thought
> through completely, but I suppose you could have the logon screen be
https
> explicitly, and all the other pages relative references, so once you've
> switched to https you would stay there. Seems full of holes though -
We utilise this method to allow users who are merely browsing to avoid
https then have an explicit link to https://www.ourdomain.com/document when
needed.
We also use the SSLOptions RequireSSL config directive on specific
directories/jserv zones (eg CGI-BIN, Servlets) to enforce SSL where data
exchange is taking place.
Additionally we even go as far as enforcing 128 bit connections only by
using a perl script to dynamically redirect to the https part of the site
if they have 128 bit, or to a page containing upgrade links for those
withtout 128 bit encryption. (Use the SSLOptions +StdEnvVars to make the
SSL Environment variables available to the CGI namespace - And refer to
$ENV{"SSL_CYPHER_USEKEYSIZE"} in your perl script to retrieve the value of
the encryption in use - NB an SSL Session must be ongoing for this to work
of course)
> someone could simply remove the "s" in https, backpage or any of a dozen
> other things. To be truly secure, I would have the two sites completely
> independent of each other.
this is the best way to go for sure - but if you correctly map your site by
placing all of the stuff requiring SSL in self contained directories you
can enforce SSL on those directories - which stops users dumb enough to
remove the 's' from 'https' from accessing files in that directory.
Hope this helps
regards
Earl
> -----Original Message-----
> From: Harald Falkenberg [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 05, 2001 3:00 PM
> To: [EMAIL PROTECTED]
> Subject: Automatic change from http to https when password is required
>
>
> Hi,
>
> is there a possibility to switch automatically from http to https as soon
> as a password is required to access a web page? The setup for the http
and
> https server is identical.
>
> For any hints thank you in advance
> Harald
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
