Hi, all,
I have some problem about the directive "SSLRequireSSL".
I setup my SSL for <VirtualHost _default_:443> and it works pretty well.
Then, I want to let Apache deny all the access when SSL is not used for the
HTTP request. In other words, I want to forbid access unless HTTP over SSL
(i.e. HTTPS) is used. According to the manual, I used the directive
"SSLRequireSSL" in the <Directory> block inside the default <VirtualHost>
block. My configuration is as follows:
------------------------------------------------------httpd-ssl.conf---------------------------------------------------
<VirtualHost _default_:443>
DocumentRoot "/home/tianyin/apache2.2.21-ssl/htdocs"
ServerName www.example.com:443
ServerAdmin y...@example.com
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/home/tianyin/apache2.2.21-ssl/conf/server.crt"
SSLCertificateKeyFile "/home/tianyin/apache2.2.21-ssl/conf/server.key"
<Directory "/home/tianyin/apache2.2.21-ssl/htdocs">
SSLRequireSSL
</Directory>
</VirtualHost>
-----------------------------------------------------------------------------------------------------------------------------
But it seems that "SSLRequireSSL" has no effect at all. I can still access
the "DocumentRoot" using HTTP. But if I put the <Directory> block out of
the <VirtualHost> block to be a separate, independent block (not nested).
It actually works.
Could anyone tell me why?
Many thanks!!
Tianyin
