HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Server Operation (
-   -   Excluding a particular directory from SSL requirements does not work as expected (

cbj4074 14th December 2011 20:36

Excluding a particular directory from SSL requirements does not work as expected
I have configured Apache to require an SSL connection for the entire document root, but I would like to exclude certain subdirectories from the SSL requirement.

This seems like it would be a common requirement, but I can't find any straightforward documentation on the matter.

Per the relevant Apache documentation ( ), this should be possible:



This forces forbidden access when SSLRequireSSL or SSLRequire successfully decided that access should be forbidden. Usually the default is that in the case where a ``Satisfy any'' directive is used, and other access restrictions are passed, denial of access due to SSLRequireSSL or SSLRequire is overridden (because that's how the Apache Satisfy mechanism should work.) [emphasis mine] But for strict access restriction you can use SSLRequireSSL and/or SSLRequire in combination with an ``SSLOptions +StrictRequire''. Then an additional ``Satisfy Any'' has no chance once mod_ssl has decided to deny access.
Based on the above quote, it seems that one should be able to use a Satisfy any directive for the directory that is to be excluded from the SSL requirement.

If we examine the relevant Satisfy documentation ( ), we find the following:


Access policy if both Allow and Require used. The parameter can be either All or Any. This directive is only useful if access to a particular area is being restricted by both username/password and client host address. In this case the default behavior (All) is to require that the client passes the address access restriction and enters a valid username and password. With the Any option the client will be granted access if they either pass the host restriction or enter a valid username and password [emphasis mine]. This can be used to password restrict an area, but to let clients from particular addresses in without prompting for a password.
So, in theory, the following should exclude the directory in question from the SSL requirement:

File: /etc/apache2/httpd.conf:


<Directory /var/www/>
Order allow,deny
Allow from all

# Deny access when SSL is not used for the HTTP request.

# Force access via a given host when SSL is used (does not force SSL!); processed after handshake, so certificate mismatches are not avoided.
SSLRequire %{HTTP_HOST} eq ""

Apache Directives box for this vhost in ISPConfig interface:


<Location /mysite>
#Allow from all should be inherited from /etc/apache2/httpd.conf
Satisfy any

Yet I still receive:


[error] [client XXX.XXX.XXX.XXX] access to /var/www/ failed, reason: SSL connection required
Could the problem be that I'm not using a Require directive anywhere? After all, the above-referenced documentation does state:


Access policy if both [emphasis mine] Allow and Require used.
I don't want to add authentication requirements to the directory in question, as this resource must remain public.

All times are GMT +2. The time now is 15:04.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.