Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th December 2011, 19:36
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 388
Thanks: 28
Thanked 58 Times in 50 Posts
 
Default Excluding a particular directory from SSL requirements does not work as expected

I have configured Apache to require an SSL connection for the entire document root, but I would like to exclude certain subdirectories from the SSL requirement.

This seems like it would be a common requirement, but I can't find any straightforward documentation on the matter.

Per the relevant Apache documentation ( http://httpd.apache.org/docs/2.0/mod...tml#ssloptions ), this should be possible:

Quote:
StrictRequire

This forces forbidden access when SSLRequireSSL or SSLRequire successfully decided that access should be forbidden. Usually the default is that in the case where a ``Satisfy any'' directive is used, and other access restrictions are passed, denial of access due to SSLRequireSSL or SSLRequire is overridden (because that's how the Apache Satisfy mechanism should work.) [emphasis mine] But for strict access restriction you can use SSLRequireSSL and/or SSLRequire in combination with an ``SSLOptions +StrictRequire''. Then an additional ``Satisfy Any'' has no chance once mod_ssl has decided to deny access.
Based on the above quote, it seems that one should be able to use a Satisfy any directive for the directory that is to be excluded from the SSL requirement.

If we examine the relevant Satisfy documentation ( http://httpd.apache.org/docs/2.0/mod/core.html#satisfy ), we find the following:

Quote:
Access policy if both Allow and Require used. The parameter can be either All or Any. This directive is only useful if access to a particular area is being restricted by both username/password and client host address. In this case the default behavior (All) is to require that the client passes the address access restriction and enters a valid username and password. With the Any option the client will be granted access if they either pass the host restriction or enter a valid username and password [emphasis mine]. This can be used to password restrict an area, but to let clients from particular addresses in without prompting for a password.
So, in theory, the following should exclude the directory in question from the SSL requirement:

File: /etc/apache2/httpd.conf:

Code:
<Directory /var/www/example.com>
Order allow,deny
Allow from all

# Deny access when SSL is not used for the HTTP request.
SSLRequireSSL

# Force access via a given host when SSL is used (does not force SSL!); processed after handshake, so certificate mismatches are not avoided.
SSLRequire %{HTTP_HOST} eq "example.com"
</Directory>
Apache Directives box for this vhost in ISPConfig interface:

Code:
<Location /mysite>
#Allow from all should be inherited from /etc/apache2/httpd.conf
Satisfy any
</Location>
Yet I still receive:

Code:
[error] [client XXX.XXX.XXX.XXX] access to /var/www/example.com/web/mysite/ failed, reason: SSL connection required
Could the problem be that I'm not using a Require directive anywhere? After all, the above-referenced documentation does state:

Quote:
Access policy if both [emphasis mine] Allow and Require used.
I don't want to add authentication requirements to the directory in question, as this resource must remain public.

Last edited by cbj4074; 14th December 2011 at 19:39.
Reply With Quote
Sponsored Links
Reply

Bookmarks

Tags
apache, directory, exclude, sslrequire

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
add web site serr57 Installation/Configuration 18 13th April 2008 11:40
The PHP binary coming with ISPConfig does not work properly on your system! KalishNikova Installation/Configuration 6 6th November 2007 14:52
Installation Error, Debian 3.1 yogi183 Installation/Configuration 6 23rd February 2007 16:11
ERROR: The PHP binary coming with ISPConfig does not work properly on your system W1SKCC Installation/Configuration 2 2nd February 2007 13:55
ISP install problems Debian sarge 3.1 lerra Installation/Configuration 1 5th January 2006 16:37


All times are GMT +2. The time now is 19:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.