Force SSL to be used on certain pages
This is a discussion on Force SSL to be used on certain pages within the Apache Web Server forums, part of the Web Server and Related Forums category; Seems like a simple problem, but I can't seem to solve it. I want to ensure that certain pages ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-26-2005
|
|||
|
|||
Force SSL to be used on certain pages
Seems like a simple problem, but I can't seem to solve it.
I want to ensure that certain pages on my Apache 2 (Linux Fedora Core 3) webserver are accessed only by https. I've got an IP based virtual host configured for port 80 in the http.conf file, and the same virtual host configured for port 443 in the ssl.conf file. I've tried using: <Files /path/to/mypage.cgi> SSL Options +StrictRequire SSLRequireSSL </Files> in the ssl.conf file. I've also tried the same directives in the <Directory> container, specifying the directory in which the page was located (it's a cgi-bin generated page), which I would expect would force all my cgi-bin pages to use https. But the pages are still accessible by plain old http. Accessing them by https works, but I want to prevent non-SSL access. Any help would be appreciated. Rich Leitner |
|
06-26-2005
|
|||
|
|||
|
Re: Force SSL to be used on certain pages
"Rich Leitner" <r.leitner-remove@worldnet.att.net> schreef in bericht
news:Pcmve.358583$cg1.86534@bgtnsc04-news.ops.worldnet.att.net... I want to ensure that certain pages on my Apache 2 (Linux Fedora Core 3) > webserver are accessed only by https. I've got an IP based virtual host > configured for port 80 in the http.conf file, and the same virtual host > configured for port 443 in the ssl.conf file. I've tried using: > in the ssl.conf file. I've also tried the same directives in the > <Directory> container, specifying the directory in which the page was > located (it's a cgi-bin generated page), which I would expect would > force all my cgi-bin pages to use https. What if that directory block is within your <virtualhost *:80> <IfModule mod_ssl.c> <Directory to-be-protected> SSLRequireSSL </Directory> </IfModule> > But the pages are still accessible by plain old http. Accessing them by > https works, but I want to prevent non-SSL access. More freindly to the audience is a rewrite within <virtualhost *:80> rewriterule /to-be-protected/(.*) https://name.your.host/$1 [QSA,L,E=302] By aware some browsers tend to moan on each alternation between https and http: best omit protocol and servername from all your links -but for a few scripts and the blank forms invoking those- to have all elements of a page -style sheets, javascripts and illustrations- available via both protocols. HansH |
|
06-26-2005
|
|||
|
|||
|
Re: Force SSL to be used on certain pages
Rich Leitner wrote:
> Seems like a simple problem, but I can't seem to solve it. > > I want to ensure that certain pages on my Apache 2 (Linux Fedora Core 3) > webserver are accessed only by https. I've got an IP based virtual host > configured for port 80 in the http.conf file, and the same virtual host > configured for port 443 in the ssl.conf file. I've tried using: > > <Files /path/to/mypage.cgi> > > SSL Options +StrictRequire > SSLRequireSSL > > </Files> > > in the ssl.conf file. I've also tried the same directives in the > <Directory> container, specifying the directory in which the page was > located (it's a cgi-bin generated page), which I would expect would > force all my cgi-bin pages to use https. > > But the pages are still accessible by plain old http. Accessing them by > https works, but I want to prevent non-SSL access. > > Any help would be appreciated. > > Rich Leitner Try the following: insert <Files /path/to/mypage.cgi> Order deny, allow deny from all </Files> in your default-server.conf Regards |
|
06-27-2005
|
|||
|
|||
|
Re: Force SSL to be used on certain pages
Hans, thanks for the input. I've used a variation of your RewriteRule
suggestion. I'm still figuring out exactly how it works, but at least it does work pretty much like I want. The SSLRequireSSL directive in the <Directory> container prevented non SSL access, but generated an error message instead of just making the connection secure. The RewriteRule is extremely powerful and also solved some other issues I had. Thanks again Rich Leitner HansH wrote: > "Rich Leitner" <r.leitner-remove@worldnet.att.net> schreef in bericht > news:Pcmve.358583$cg1.86534@bgtnsc04-news.ops.worldnet.att.net... > I want to ensure that certain pages on my Apache 2 (Linux Fedora Core 3) > >>webserver are accessed only by https. I've got an IP based virtual host >>configured for port 80 in the http.conf file, and the same virtual host >>configured for port 443 in the ssl.conf file. I've tried using: >>in the ssl.conf file. I've also tried the same directives in the >><Directory> container, specifying the directory in which the page was >>located (it's a cgi-bin generated page), which I would expect would >>force all my cgi-bin pages to use https. > > What if that directory block is within your <virtualhost *:80> > <IfModule mod_ssl.c> > <Directory to-be-protected> > SSLRequireSSL > </Directory> > </IfModule> > >>But the pages are still accessible by plain old http. Accessing them by >>https works, but I want to prevent non-SSL access. > > More freindly to the audience is a rewrite within <virtualhost *:80> > rewriterule /to-be-protected/(.*) https://name.your.host/$1 > [QSA,L,E=302] > > > By aware some browsers tend to moan on each alternation between https and > http: best omit protocol and servername from all your links -but for a few > scripts and the blank forms invoking those- to have all elements of a > page -style sheets, javascripts and illustrations- available via both > protocols. > > HansH > > |
Linear Mode
