| Description: | Deny access when SSL is not used for the HTTP request |
|---|
This
was not in my earlier reply, so I may have a misconfiguration myself. The
combination of the "Listen 443" without a "Listen 80" and "<VirtualHost myhost.yourcompany.com:443>" and the SSLRequireSSL Directive will force the
use of ssl. Additional directives are needed to make it work as described
at
mod_ssl User
Manual
Hot To in User Manual
Unfortunately, much of the documentation covers everything but the
simpler case of just making a server require ssl.
Best I
can find in the docs is (http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html):
httpd.conf
SSLCACertificateFile conf/ssl.crt/company-ca.crt
<Directory /usr/local/apache2/htdocs>
# Outside the subarea only Intranet access is granted
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
</Directory>
<Directory /usr/local/apache2/htdocs/subarea>
# Inside the subarea any Intranet access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate
# If HTTPS is used, make sure a strong cipher is used.
# Additionally allow client certs as alternative to basic auth.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# Force clients from the Internet to use HTTPS
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
# Allow Network Access and/or Basic Auth
Satisfy any
# Network Access Control
Order deny,allow
Deny from all
Allow 192.168.1.0/24
# HTTP Basic Authentication
AuthType basic
AuthName "Protected Intranet Area"
AuthUserFile conf/protected.passwd
Require valid-user
</Directory>Change
"/usr/local/apache2/htdocs/subarea" to the directory
you want protected and eliminate the <Directory /usr/local/apache2/htdocs
section
Hope
this helps you out. There is a lot to it.
Chuck
-----Original Message-----At 03:54 PM 9/24/2004 -0700, you wrote:
From: kloomis [mailto:[EMAIL PROTECTED]
Sent: Friday, September 24, 2004 6:44 PM
To: [EMAIL PROTECTED]
Subject: Re: Mac users bypass SSL
kloomis wrote:
At 11:31 PM 9/23/2004 -0700, you wrote:
kloomis wrote:
Hello:
I am using SSL with Apache 2.0 to run a "secure" website. The problem I have is that Mac users using Internet Explorer open the site without encryption. They access it via an https:\\ address but they don't get asked to accept a security certificate and the site opens for them. PC users are required to accept the certificate before they get access.
How can I fix this.
It's not clear to me why you think this is a problem. If there is some reason they should be required to accept the security certificate, and they aren't being required to, then it's a problem.
Thanks for your reply.
Yes, they should not be able to access the data without encrypted transmission. Is there a way for me to require it?We're talking past each other here. I am talking about whether or not they have to accept a security certificate. You are talking about whether or not they must use SSL. Are you saying that people are able to supply an 'https' URL and connect without using SSL?! That would be a problem.
Yes. That is what is happening.
But this has nothing to do with whether you do or don't have to accept a certificate. Normally you only have to manually accept a certificate if the certificate is deficient in some way.
It's a self signed cert, that's why they have to accept it. I want to restrict users only to access the site via SSL. Do you know how to make that happen?
Ken
