httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Field" <jfi...@aaaq.com>
Subject require SSL on a cgi file problem
Date Sat, 09 Mar 2002 07:25:00 GMT
Update:

Okay, so I still have the problem but I think I've narrowed it down a bit.
It seems to be related to the restricted access to the directory.  Problem
is still...I want to restrict access to the directory and also require SSL.
When I try to access the directory using http (non-SSL), the first thing
that happens is it asks for my user/pass, then allows me to access the site
non-SSL.  Should it first give me a "Forbidden" instead throwing up the
user/pass dialog box?  Actually, I don't really care if it allows me to put
in my user/pass, if it would then still give me a Forbidden upon accepting
my user/pass.  Any ideas, anyone?

(Previous message below)
-------------------------------

Okay, I've exhausted a lot of time on this already...hoping for an easy
answer...

I have a plain vanilla Apache setup on RH 7.2, no virtual domains, just the
main/default server, and SSL enabled.  Here's the problem:

I want to require SSL for *all* resources available under this default
server.  The way I did it was to add (in httpd.conf) SSLRequireSSL to the
root directory as follows:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    SSLRequireSSL
</Directory>

So far I can't get to anything without using https://, except one thing.  I
have in a subdirectory of the cgi-bin directory a script that I *can* access
without SSL.  The subdirectory looks like this:

/usr/local/apache/cgi-bin/subname

And, in the subname directory I have a script we'll call cgiscript.cgi.  One
thing more; this subdirectory is enabled to restrict access, so, I have an
.htaccess file the contents of which look like this (without the dashed
lines, and with a real file path to the password file and AuthName):

--------------------
AuthType Basic
AuthUserFile /usr/local/apache/path/to/password/file
AuthName blabla
require valid-user
satisfy any
--------------------

Now, if I go to:

http://www.mydomain.com/cgi-bin/subname/cgiscript.cgi (notice the http, not
https)

it throws up the user name/password dialog box, I put in my user name and
password, and then I am able to access the script and the script works for
me just fine.  The problem is that it doesn't require me to use SSL.
Anyway...

I've tried adding SSLRequireSSL to the cgi-bin directory in httpd.conf.
Also tried the same in the .htaccess file.  The weird thing is that I have
another almost identical script one level above this directory (in the
cgi-bin directory) that I cannot access without SSL; which is correct.

I'm getting totally frustrated.  Any ideas, anyone?  BTW, I'm a relatively
new Apache user but I've read books, FAQs, etc. etc., so please take it easy
on me if this all really boils down to something stupidly simple.

Thanks!

Jeff


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message