I seem to have accidentally circumvented the SSLRequireSSL directive. Here's what my .htaccess file looks like:
SSLRequireSSL DirectoryIndex index.wp2 AddHandler cgi-script .cgi Options +ExecCGI deny from all AuthType Basic AuthUserFile /yadda/yadda/path/to/site/root/admin/.htpasswd AuthName "Administrative Pages" require valid-user satisfy any (I obscured the AuthUserFile path here.) My .htaccess file is being parsed and used. And if I try to fetch a page in the admin area, I get this logged: [Tue Jun 4 15:46:03 2002] [error] access to /yadda/yadda/path/to/site/root/admin/index.wp2 failed for 206.228.191.21, reason: SSL connection required BUT, I still get the page in the browser! Weird. I can reload it, punch in the URL for a new page (which isn't cached), etc. I tried this on a couple different client computers to be sure. Now, I can get the expected result if I comment out the 'deny from all' and 'satisfy any' lines. So, I'm OK now. Logs look right, and the browser is refused on port 80 for the admin area, as expected. I thought it was odd, though, that it simply isn't enought to use the SSLRequireSSL line for working logging and authentication. There seems to be some interaction happening between SSLRequireSSL and the auth configs. The doc says this on SSLRequireSSL: "SSLRequireSSL - This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL." But, of course, this is not true under some configuration conditions. Still the documentation mentioned that this is particularly helpful for 'defending against configuration errors'. BTW- I originally put in the 'deny from all' and 'satisfy any' lines because I had another line 'allow from .my-domain.com' inbetween them at one point. Which makes me wonder, what would I do if I wanted to put it back in? Anyways, I thought I would mention it because I didn't see anything else on this inconsistency in the mail list or anywhere else for that matter. I'm using Apache-1.3.24 with mod_ssl-2.8.8. Phil -- Philip Edelbrock -- IS Manager -- Edge Design, Corvallis, OR [EMAIL PROTECTED] -- http://www.netroedge.com/~phil PGP F16: 01 D2 FD 01 B5 46 F4 F0 3A 8B 9D 7E 14 7F FB 7A ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
