Yeah, I zapped the 'satisfy any' and 'deny from all' which made the server act as expected. I think your explaination of the behavior is correct.
I'm still not understanding how this action is understandable from the documentation for SSLRequireSSL, nor the fact that the logs are saying 'access failed' when clearly it hasn't? The documentation and the logging seems to state a strict enforcement, although it seems to not be under some conditions. Nor, out of curiousity, how I might configure it if I wanted some logic like this: SSL connection AND (password auth OR domain match) Thanks for the reply and explaination, btw! Phil On Tue, Jun 04, 2002 at 08:32:52PM -0400, Cliff Woolley wrote: > On Tue, 4 Jun 2002 [EMAIL PROTECTED] wrote: > > > SSLRequireSSL > > DirectoryIndex index.wp2 > > AddHandler cgi-script .cgi > > Options +ExecCGI > > deny from all > > AuthType Basic > > AuthUserFile /yadda/yadda/path/to/site/root/admin/.htpasswd > > AuthName "Administrative Pages" > > require valid-user > > satisfy any > > > > BUT, I still get the page in the browser! Weird. I can reload it, > > punch in the URL for a new page (which isn't cached), etc. I tried > > this on a couple different client computers to be sure. > > Now, I can get the expected result if I comment out the 'deny from > > all' and 'satisfy any' lines. So, I'm OK now. Logs look right, and > > the browser is refused on port 80 for the admin area, as expected. > > That's not a bug, it's a feature. mod_ssl acts as an access checker for > SSLRequireSSL just like both mod_access and mod_auth. "satisfy any" means > that if any of the access checkers is satisfied, then access is allowed. > Presumably your browser either has the password for mod_auth cached or > you've typed it in again. In that case, mod_auth's "require valid-user" > condition is satisfied, so access is granted. If mod_auth's requirement > failed, access would still be granted as long as the connection was SSL. > The "deny from all" is useless here since it can never be satisfied. > > Bottom line: I don't think you should be using "satisfy any" given the > configuration above. > > --Cliff -- Philip Edelbrock -- IS Manager -- Edge Design, Corvallis, OR [EMAIL PROTECTED] -- http://www.netroedge.com/~phil PGP F16: 01 D2 FD 01 B5 46 F4 F0 3A 8B 9D 7E 14 7F FB 7A ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
