SeeSSLRequireSSL Directive at http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslrequiressl
Description: Deny access when SSL is not used for the HTTP request
Thank you!
Now, this is really dumb. I went to look at my httpd.conf and I see that SSL is not included in the conf as it was in apache 1.3! So while I had an SSL virtual host in 1.3 I don't have it in 2.0. Now I'm really confused.
Ken
This was not in my earlier reply, so I may have a misconfiguration myself. The combination of the "Listen 443" without a "Listen 80" and "<VirtualHost myhost.yourcompany.com:443>" and the SSLRequireSSL Directive will force the use of ssl. Additional directives are needed to make it work as described at
mod_ssl User Manual
http://www.modssl.org/docs/2.8/
Hot To in User Manual
http://www.modssl.org/docs/2.8/ssl_howto.html
Unfortunately, much of the documentation covers everything but the simpler case of just making a server require ssl.
Best I can find in the docs is (http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html):
httpd.conf
SSLCACertificateFile conf/ssl.crt/company-ca.crt <Directory /usr/local/apache2/htdocs> # Outside the subarea only Intranet access is granted Order deny,allow Deny from all Allow from 192.168.1.0/24 </Directory>
<Directory /usr/local/apache2/htdocs/subarea>
# Inside the subarea any Intranet access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate
# If HTTPS is used, make sure a strong cipher is used.
# Additionally allow client certs as alternative to basic auth.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# Force clients from the Internet to use HTTPS
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
# Allow Network Access and/or Basic Auth
Satisfy any
# Network Access Control
Order deny,allow
Deny from all
Allow 192.168.1.0/24
# HTTP Basic Authentication
AuthType basic
AuthName "Protected Intranet Area"
AuthUserFile conf/protected.passwd
Require valid-user
</Directory>
Change "/usr/local/apache2/htdocs/subarea" to the directory you want protected and eliminate the <Directory /usr/local/apache2/htdocs sectionHope this helps you out. There is a lot to it.
Chuck
- -----Original Message-----
- From: kloomis [mailto:[EMAIL PROTECTED]]
- Sent: Friday, September 24, 2004 6:44 PM
- To: [EMAIL PROTECTED]
- Subject: Re: Mac users bypass SSL
At 03:54 PM 9/24/2004 -0700, you wrote: kloomis wrote: At 11:31 PM 9/23/2004 -0700, you wrote: kloomis wrote: Hello: I am using SSL with Apache 2.0 to run a "secure" website. The problem I have is that Mac users using Internet Explorer open the site without encryption. They access it via an https:\\ address but they don't get asked to accept a security certificate and the site opens for them. PC users are required to accept the certificate before they get access. How can I fix this. It's not clear to me why you think this is a problem. If there is some reason they should be required to accept the security certificate, and they aren't being required to, then it's a problem. Thanks for your reply. Yes, they should not be able to access the data without encrypted transmission. Is there a way for me to require it? We're talking past each other here. I am talking about whether or not they have to accept a security certificate. You are talking about whether or not they must use SSL.
Are you saying that people are able to supply an 'https' URL and connect without using SSL?! That would be a problem. Yes. That is what is happening.
But this has nothing to do with whether you do or don't have to accept a certificate. Normally you only have to manually accept a certificate if the certificate is deficient in some way. It's a self signed cert, that's why they have to accept it. I want to restrict users only to access the site via SSL. Do you know how to make that happen?
Ken
