On Thu, 27 Feb 2003, Shawn Syms wrote: > >>>So, bottom line, it is not possible to have a virtual host accessible via > http and require SSL for a part of it. Is that correct? > > It's not really logical to want to segment out SSL-using and non-SSL-using > sections of a site within the server config; do this on the site itself in > the code. Here is what is commonly done, where I work anyway. > > In your apache config, specify the use of SSL for the entire site. The > certificate applies to the entire site anyway, since a certificate applies > to anything that falls under the fully qualified domain name (FQDN) on the > certificate. > > In the ***code*** of your site, hardcode the URL for the sections that > security to include "https" -- this sort of hardcoding (ie, using an > absolute path for the links instead of a relative one) is not "bad form" > since the URL should only be accessed using the FQDN anyway (ie, along as > the value on the certificate doesn't change, neither would the single > correct URL). > > In the links that lead *out* of the secured area of the site, use absolute > links that specify "http" rather than "https". > > Also in the code, if anyone tries to access those sections without SSL, > rewrite the URL in their browser so that it includes the "https". > > And finally, also in the code, for any sections that don't require SSL (and > where you don't want the performance impact on needless SSL traffic), test > to see if the URL entered by the user includes "https" -- if it does, > rewrite it to remove the "s". > > This works well for us and it pretty straight-forward to implement. > > Regards, > S.
Thanks for the suggestion. But the problem is I can't get the server configured as I want to to speak SSL even in testing. -nick ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
