>>>So, bottom line, it is not possible to have a virtual host accessible via http and require SSL for a part of it. Is that correct?
It's not really logical to want to segment out SSL-using and non-SSL-using sections of a site within the server config; do this on the site itself in the code. Here is what is commonly done, where I work anyway. In your apache config, specify the use of SSL for the entire site. The certificate applies to the entire site anyway, since a certificate applies to anything that falls under the fully qualified domain name (FQDN) on the certificate. In the ***code*** of your site, hardcode the URL for the sections that security to include "https" -- this sort of hardcoding (ie, using an absolute path for the links instead of a relative one) is not "bad form" since the URL should only be accessed using the FQDN anyway (ie, along as the value on the certificate doesn't change, neither would the single correct URL). In the links that lead *out* of the secured area of the site, use absolute links that specify "http" rather than "https". Also in the code, if anyone tries to access those sections without SSL, rewrite the URL in their browser so that it includes the "https". And finally, also in the code, for any sections that don't require SSL (and where you don't want the performance impact on needless SSL traffic), test to see if the URL entered by the user includes "https" -- if it does, rewrite it to remove the "s". This works well for us and it pretty straight-forward to implement. Regards, S. --- Shawn Syms | Team Lead, Systems Administration Infinet Communications | [EMAIL PROTECTED] --- -----Original Message----- From: Nick Tonkin [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 3:58 PM To: R. DuFresne Cc: [EMAIL PROTECTED] Subject: Re: securing one area of a vhost in apache 2 On Thu, 27 Feb 2003, R. DuFresne wrote: > > You gave this site it's own IP address yes? No. It is using NameVirtualHost. > > Virtual hosting with non-ssl works in a 'software' aware mode, while > virtual hosting with ssl is more 'hardware' in nature requireing specifici > IP addressing to function properly. Hmm. I must have missed this in the docos. Rechecking ... Hm. Well, I see that I was on the wrong track with "How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server?" ... that appears on closer inspection to deal with certificate-wielding clients ... Hm. So, bottom line, it is not possible to have a virtual host accessible via http and require SSL for a part of it. Is that correct? Thanks, - nick -- ~~~~~~~~~~~~~~~~~~~~~ Nick Tonkin {|8^)> ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
