On Tue, 4 Jun 2002 [EMAIL PROTECTED] wrote: > SSLRequireSSL > DirectoryIndex index.wp2 > AddHandler cgi-script .cgi > Options +ExecCGI > deny from all > AuthType Basic > AuthUserFile /yadda/yadda/path/to/site/root/admin/.htpasswd > AuthName "Administrative Pages" > require valid-user > satisfy any > > BUT, I still get the page in the browser! Weird. I can reload it, > punch in the URL for a new page (which isn't cached), etc. I tried > this on a couple different client computers to be sure. > Now, I can get the expected result if I comment out the 'deny from > all' and 'satisfy any' lines. So, I'm OK now. Logs look right, and > the browser is refused on port 80 for the admin area, as expected.
That's not a bug, it's a feature. mod_ssl acts as an access checker for SSLRequireSSL just like both mod_access and mod_auth. "satisfy any" means that if any of the access checkers is satisfied, then access is allowed. Presumably your browser either has the password for mod_auth cached or you've typed it in again. In that case, mod_auth's "require valid-user" condition is satisfied, so access is granted. If mod_auth's requirement failed, access would still be granted as long as the connection was SSL. The "deny from all" is useless here since it can never be satisfied. Bottom line: I don't think you should be using "satisfy any" given the configuration above. --Cliff ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]