View Single Post
  #1  
Old 14th December 2011, 19:36
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 368
Thanks: 25
Thanked 47 Times in 42 Posts
Default Excluding a particular directory from SSL requirements does not work as expected

I have configured Apache to require an SSL connection for the entire document root, but I would like to exclude certain subdirectories from the SSL requirement.

This seems like it would be a common requirement, but I can't find any straightforward documentation on the matter.

Per the relevant Apache documentation ( http://httpd.apache.org/docs/2.0/mod...tml#ssloptions ), this should be possible:

Quote:
StrictRequire

This forces forbidden access when SSLRequireSSL or SSLRequire successfully decided that access should be forbidden. Usually the default is that in the case where a ``Satisfy any'' directive is used, and other access restrictions are passed, denial of access due to SSLRequireSSL or SSLRequire is overridden (because that's how the Apache Satisfy mechanism should work.) [emphasis mine] But for strict access restriction you can use SSLRequireSSL and/or SSLRequire in combination with an ``SSLOptions +StrictRequire''. Then an additional ``Satisfy Any'' has no chance once mod_ssl has decided to deny access.
Based on the above quote, it seems that one should be able to use a Satisfy any directive for the directory that is to be excluded from the SSL requirement.

If we examine the relevant Satisfy documentation ( http://httpd.apache.org/docs/2.0/mod/core.html#satisfy ), we find the following:

Quote:
Access policy if both Allow and Require used. The parameter can be either All or Any. This directive is only useful if access to a particular area is being restricted by both username/password and client host address. In this case the default behavior (All) is to require that the client passes the address access restriction and enters a valid username and password. With the Any option the client will be granted access if they either pass the host restriction or enter a valid username and password [emphasis mine]. This can be used to password restrict an area, but to let clients from particular addresses in without prompting for a password.
So, in theory, the following should exclude the directory in question from the SSL requirement:

File: /etc/apache2/httpd.conf:

Code:
<Directory /var/www/example.com>
Order allow,deny
Allow from all

# Deny access when SSL is not used for the HTTP request.
SSLRequireSSL

# Force access via a given host when SSL is used (does not force SSL!); processed after handshake, so certificate mismatches are not avoided.
SSLRequire %{HTTP_HOST} eq "example.com"
</Directory>
Apache Directives box for this vhost in ISPConfig interface:

Code:
<Location /mysite>
#Allow from all should be inherited from /etc/apache2/httpd.conf
Satisfy any
</Location>
Yet I still receive:

Code:
[error] [client XXX.XXX.XXX.XXX] access to /var/www/example.com/web/mysite/ failed, reason: SSL connection required
Could the problem be that I'm not using a Require directive anywhere? After all, the above-referenced documentation does state:

Quote:
Access policy if both [emphasis mine] Allow and Require used.
I don't want to add authentication requirements to the directory in question, as this resource must remain public.

Last edited by cbj4074; 14th December 2011 at 19:39.
Reply With Quote
Sponsored Links