> -----Original Message----- > From: Jerry Baker [mailto:[EMAIL PROTECTED] > > It's not wrongthink.
I don't want to get into a big debate - suffice to say that if your understanding of the functioning of HTTP were accurate, it would be trivial to do what you want. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > I don't know what users are going to want to > protect, and what they aren't. I make everything potentially > protected > by SSL and I'll let them use .htaccess and SSLRequireSSL to > protect the > things they want protected. > > > SSL (or to be more accurate, HTTPS) is an additional layer > on top of HTTP so it is like it is a different protocol. > Therefore your question is a bit like, "Do I have to install > Sendmail, just to include SMTP?" > > SSL operates above the protocol. The analogy doesn't work. It's more > like the telco requiring a separate phone number if you want to speak > French over the line. > > > For HTTPS to work, it needs a unique TCP/IP socket on which > to begin the HTTPS negotiation. That is conventionally port > 443. Happily, apache (using mod_ssl) can be configured to > handle an HTTPS session, but it requires a virtual host to be > configured to handle the requests once they are decrypted. > This VH then includes all the SSL directives (eg, SSLEngine > on) so it can't be used for plain HTTP. > > Which is why it seems like it shouldn't need a separate > container. It is > already separated from regular HTTP by port. > > > I think the underlying problem is that you want a site that > automatically works in HTTP or HTTPS with identical content > under each. I'm sure you have your reasons, but have you > thought through exactly why you want this? SSL is used to > protect data when it's on the public part of the route > between the client and server. This would either be private > data submitted by the client (eg, credit card number) or sent > by the server (eg, personal user data held on a server). Why > would you want these resources also available under plain > HTTP? If people used the HTTP URLs, the data would not be > protected. It's a bit like phoning your bank up and asking > them to send you some money and, depending on the number you > call, they either send it round in an armoured car or post it > in the mail in a see-through envelope. > > To continue the armored-car analogy, it's like wanting to buy > a car with > locks that don't *have* to be locked. Instead of having one > car with no > locks and no armor, and another with armor and locks that are always > locked, I want a car that has the armor and locks, but can be left > unlocked if I so choose. It's not unusual at all. > > -- > Jerry Baker > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
