On Friday 22 December 2000 01:16, Michael Conley wrote:
> I am very new to SSL. I have set up my Apache web server on Red Hat Linux
> 7. I have installed OpenSSL/mod_ssl. I can now attach to the web server
> using either http or https.
>
> My question is how do I control which files can be accessed via http and
> which can only be accessed by https? I don't mind people hitting the main
> (home) page via http, but that will be about all I want accessible unless
> we move to https. How do I control which protocol can be used to access
> various files?
>
> I'm sure this shows my inexperience.
In the directory that you require SSL be used within, create a .htaccess file
that contains stuff like:
SSLRequireSSL
AuthType Basic
AuthName "Admin"
AuthGroupFile /home/daranee/groups
AuthUserFile /home/daranee/users
require group admin
The .htaccess file can "AllowOverride" settings in the httpd.conf file on a
per directory basis. See the AllowOverride directive in the apache docs. The
directory will need the proper <directory> AllowOverride AuthConfig directive
for the directory in your apache httpd.conf file.
The SSLRequireSSL line is the only line you really need, the other lines are
for password protection. Remember also that SSL will not work unless in your
httpd.conf file, you issue a "SSLEngine on" directive inside your main server
config or within a <VirtualHost> that owns the directory.
The "users" file is made with the htpasswd program in $APACHE_HOME/bin and
contains lines of the form <username>:<hashed password> inserted by htpasswd
(man htpasswd, $MANPATH=$MANPATH:$APACHE_HOME/man).
The "groups" file is a file you hand edit and contains lines of the form
<groupname>:<username username ...> for groups you want. In the above
example, any user in the group that supplies a correct username/password pair
gets in. You can also say "require valid-user" for any user or "require
username username1 ..." for specific users.
The AuthGroupFile and AuthUserFile need to be fully qualified pathfilenames
and must be readable by the user that httpd is run under (user apache etc).
AuthName is called the authorization realm. Once a user logs in under the
realm, they can access any protected directories that use that realm name or
are under those directories.
I like to use SSL on password protected directories, because as far as I
know, doing that protects the passwords from being sent in the clear.
--
-------- Robert B. Easter [EMAIL PROTECTED] ---------
- CompTechNews Message Board http://www.comptechnews.com/ -
- CompTechServ Tech Services http://www.comptechserv.com/ -
---------- http://www.comptechnews.com/~reaster/ ------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
