RE: SSLRequireSSL

Fri, 09 Mar 2001 06:22:35 -0800 

Pardon my *stupidity* but when you say _default_:443
you really mean whatever the IP addresss is or
virtual domain name lime "www.mydomain.com" - right?

<VirtualHost _default_:443>
  ...
  <Directory /home/www/secure>    
    SSLRequireSSL
    ...
  </Directory>
</VirtualHost>

-----Original Message-----
From: Owen Boyle [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 09, 2001 2:29 AM
To: [EMAIL PROTECTED]
Subject: Re: SSLRequireSSL


"Brett W. McCoy" wrote:
> 
> Maybe I am missing something about the use of SSLRequireSSL, but I am
> trying to control access to a directory so that only connections using SSL
> to that directory can be made.  But no matter what directory I use that
> directive in, non-SSL connections can still connect to anything in that
> directory.

There are many ways to control access and the override rules can get a
bit complicated. I suspect your SSLRequireSSL is being overridden by a
later directive in the non-SSL Vhosts or in a .htaccess file...

The sanest way to use SSLRequireSSL is inside a <Directory> block which
is itself inside the SSL <VirtualHost>, e.g.

<VirtualHost _default_:443>
  ...
  <Directory /home/www/secure>    
    SSLRequireSSL
    ...
  </Directory>
</VirtualHost>
 
i.e. don't stick the directory definition at server level.

By the way, SSLRequireSSL is really a redundant directive. Its effect
(preventing non-SSL access to SSL directories) can be achieved by
separating your SSL and non-SSL content so there is no way into the SSL
directory from the non-SSL document root, i.e. don't put the SSL
directory under the main html tree.

Example:

# NON-SSL Vhost
<VirtualHost _default_:80>
  DocumentRoot /home/www/html   
  ...
</VirtualHost>

# NON-SSL Vhost
<VirtualHost _default_:443>
  DocumentRoot /home/www/secure  
  ...
</VirtualHost>

Now it is impossible to get into /home/www/secure from the non-SSL
Vhost.

Rgds,

Owen Boyle.

PS When I say SSLRequireSSL is a redundant directive, I'm talking from a
mathematical viewpoint. From a practical point-of-view it is very useful
and I wouldn't do without it!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to