Yes, I noticed the existence of SSLRequireSSL, but eschewed it because the documentation suggests that it has a granularity of: directory, whereas I believe there should be a way to specify SSL _only_ for even a specific file, which may be in a directory that is not SSL _only_ ... Further, in response to another post in this thread, I have seen some indication (in a chat room) that to require SSL you need to redirect the http connection to an httpS connection ... but the syntax I was shown as an example was incorrect ... something like: <Location /secure> Redirect https://whatever.com/secure </Location> But this syntax does not work .... > >I've never used the directive, but according to ./https -h >and http://www.apache-ssl.org/docs.html#SSLRequireSSL >the actual directive appears to be SSLRequireSSL. > >Brian > >"Boyce, Nick" wrote: > > > > >> So, I added this to my apache.conf > > > > > > <Location /secure> > > > SSLRequire ( true ) > > > </Location> > > > > > [snip] > > > The problem is, after adding that configuration line, I can still go >to > > > /secure with my browser, and it doesn't start a SSL session. I don't > > > understand this at all - it seems really easy ... sslREQUIRE leads me >to > > > believe that the directory or file specified would open in the browser >as > > > SSL, and if the browser doesn't support it, it would not let it open >at > > all > > > (because it is required). > > > > I understand your confusion completely - that's exactly how I'd have >thought > > it would work: if you use an http:// URL then you get an insecure > > connection, whereas if you use an https:// URL for the same web pages >then > > you get SSL. However, my understanding is that to *stop* an "http://" >URL > > from being obeyed by your webserver you have to actually *change* the >URL on > > receipt to the equivalent "https://" URL within your webserver on the >fly, > > *every* time a client browser tries the http:// version. The standard >method > > for doing this seems to be to make use of the mod_rewrite Apache module. > > > > As far as I can see, the SSLRequire directive doesn't actually do >anything > > at all. But I must be missing something ... :-( > > > > I''ve never done any of this, so I can't advise you on the use of > > mod_rewrite. > > > > And I too would be really grateful if Someone Who Understands could >explain > > the use of SSLRequire. > > > > Cheers, > > Nick > > Systems Team, EDS Healthcare, Bristol, UK > > Internet email: [EMAIL PROTECTED] | tel: +44 117 989 2941 > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
