On Tue, Dec 14, 1999, Blair Lowe wrote:
> I checked the 2.4 manual, and there was only a small bit on this but
> I was not sure if modssl supports this, or not.
>
> What I would like to do is have the ssl root directory different than
> the httpd root directory, whilst running only one apache instance.
>
> I am aware of the DocumentRoot directive for virtual hosts, but will
> this be enough security for the SSL area so that reg. http clients
> can't access this area?
>
> Anyone know if this can be done?
> Is this a bad idea?
No, using a <VirtualHosts> for HTTPS and there a different DocumentRoot is the
way to go. And as long as you don't have some broken RewriteRule's or other
URL mapping stuff in your HTTP config, no one should be able to fetch the
secure data via HTTP. Additionally you should apply SSLRequireSSL to your
HTTPS DocumentRoot to make sure that really HTTPS is required to access these
files.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
