On 2001.03.09 03:28 Owen Boyle wrote:
> There are many ways to control access and the override rules can get a
> bit complicated. I suspect your SSLRequireSSL is being overridden by a
> later directive in the non-SSL Vhosts or in a .htaccess file...
Nope, that wasn't the case at all.
> The sanest way to use SSLRequireSSL is inside a <Directory> block which
> is itself inside the SSL <VirtualHost>, e.g.
>
> <VirtualHost _default_:443>
> ...
> <Directory /home/www/secure>
> SSLRequireSSL
> ...
> </Directory>
> </VirtualHost>
Yep, that's exactly what I had done.
> By the way, SSLRequireSSL is really a redundant directive. Its effect
> (preventing non-SSL access to SSL directories) can be achieved by
> separating your SSL and non-SSL content so there is no way into the SSL
> directory from the non-SSL document root, i.e. don't put the SSL
> directory under the main html tree.
Unfortunately, in my case, I am adding SSL to an already existing web
application, so the secure and non-secure portions couldn't easily be separated
without a significant recontructions of the site. A few Redirect directives
under a virtual host acheived what I wanted, though.
-- Brett
http://www.chapelperilous.net/~bmccoy/
------------------------------------------------------------------------
Did you know that clones never use mirrors?
-- Ambrose Bierce, "The Devil's Dictionary"
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
