Comments on: Apache SSL in htaccess examples http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html Advanced Web Development Wed, 18 Nov 2009 23:28:48 -0500 hourly 1 By: Jeff http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-104556 Jeff Sun, 27 Sep 2009 00:29:23 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-104556 <pre>SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "google.com" ErrorDocument 403 https://google.com</pre> Thanks! This works great but I want to use this for a folder that is shared by every vhost. It's actually my awstats directory. If I access awstats via any of my websites (e.g, <code>/awstats</code>), I get the stats for that paticular website. The server was preconfigured so I guess there is a rewrite rule somewhere in one of the many config files. Line <code>SSLRequire %{HTTP_HOST} eq "google.com"</code> only lists one host name (google.com). Is there a way to set this up so SSL is required no matter the host name? SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "google.com" ErrorDocument 403 https://google.com

Thanks! This works great but I want to use this for a folder that is shared by every vhost. It’s actually my awstats directory. If I access awstats via any of my websites (e.g, /awstats), I get the stats for that paticular website. The server was preconfigured so I guess there is a rewrite rule somewhere in one of the many config files.

Line SSLRequire %{HTTP_HOST} eq "google.com" only lists one host name (google.com). Is there a way to set this up so SSL is required no matter the host name?

]]> By: Ajay http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-79144 Ajay Thu, 04 Jun 2009 14:13:27 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-79144 Hi, We are using Apache 2 for secure mode and using <code>MOD jk</code> to redirect our request to tomcat 6.0. We are using client certificate created with ca-authority application. We have following entries in our <code>ssl.conf</code> like... <pre>DocumentRoot "/var/apache2/htdocs" ServerName sun1111.abc.com:443 ServerAdmin Ab@abc.com LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ErrorLog logs/myprodcheck_error_log TransferLog logs/myprodcheck_access_log   AddType text/html .asp   # SSL Engine Switch: SSLEngine on   # SSL Cipher Suite: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL   # Server Certificate: SSLCertificateFile /var/apache2/conf/ssl.crt/abc.crt   # Server Private Key: SSLCertificateKeyFile /var/apache2/conf/ssl.key/abc.key   # Server Certificate Chain: #SSLCertificateChainFile /var/apache2/conf/ssl.crt/ca.crt   # Certificate Authority (CA): SSLCACertificateFile /var/apache2/conf/ssl.crt/ca-bundle.crt   # Client Authentication (Type): SSLVerifyClient optional SSLVerifyDepth 3   # Access Control: # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} = 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ # SSLOptions +StdEnvVars   # SSL Engine Options: #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire SSLOptions +StdEnvVars</pre> And it's working fine and it's showing the server certification when we'll access our site with <code>HTTPS</code>. But issue is that now we need the values from client certificate from client machine. So how we can read these variable from request with java api. Thanks in advanced, Ajay Hi,
We are using Apache 2 for secure mode and using MOD jk to redirect our request to tomcat 6.0.
We are using client certificate created with ca-authority application. We have following entries in our ssl.conf like…

DocumentRoot "/var/apache2/htdocs"
ServerName sun1111.abc.com:443
ServerAdmin Ab@abc.com
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog logs/myprodcheck_error_log
TransferLog logs/myprodcheck_access_log
 
AddType text/html .asp
 
#   SSL Engine Switch:
SSLEngine on
 
#   SSL Cipher Suite:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
#   Server Certificate:
SSLCertificateFile /var/apache2/conf/ssl.crt/abc.crt
 
#   Server Private Key:
SSLCertificateKeyFile /var/apache2/conf/ssl.key/abc.key
 
#   Server Certificate Chain:
#SSLCertificateChainFile /var/apache2/conf/ssl.crt/ca.crt
 
#   Certificate Authority (CA):
SSLCACertificateFile /var/apache2/conf/ssl.crt/ca-bundle.crt
 
#   Client Authentication (Type):
SSLVerifyClient optional
SSLVerifyDepth  3
 
#   Access Control:
#
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} = 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
SSLOptions +StdEnvVars
 
#   SSL Engine Options:
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars

And it’s working fine and it’s showing the server certification when we’ll access our site with HTTPS.
But issue is that now we need the values from client certificate from client machine. So how we can read these variable from request with java api.

Thanks in advanced,
Ajay

]]> By: Nick http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-58352 Nick Thu, 22 Jan 2009 20:28:34 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-58352 Very comprehensive. Thank you. Very comprehensive. Thank you.

]]> By: john http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-47639 john Wed, 03 Dec 2008 15:54:33 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-47639 Wow! This is the best site on Apache redirects and rewrites on the Internet! I have looked <em>everywhere</em> I just have a quick question.. you know when a request is made to a secure area, and for that directory there is a SSLRequire directive. If the user has the digital certificate installed it's all fine. However, if they don't have the certificate installed you get a big Apache error: (Error code: ssl_error_handshake_failure_alert) Is it possible to do a rewrite so that if they don't have the certificate installed it redirects them to a page informing them of this? /John Wow! This is the best site on Apache redirects and rewrites on the Internet! I have looked everywhere

I just have a quick question.. you know when a request is made to a secure area, and for that directory there is a SSLRequire directive. If the user has the digital certificate installed it’s all fine. However, if they don’t have the certificate installed you get a big Apache error:

(Error code: ssl_error_handshake_failure_alert)

Is it possible to do a rewrite so that if they don’t have the certificate installed it redirects them to a page informing them of this?

/John

]]> By: AskApache http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-47292 AskApache Mon, 17 Nov 2008 20:52:20 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-47292 <p>Two possible scenarios for X509 authentication follow:</p> <p>A fairly strict authentication setup for one or two administrators</p> <pre> <Directory [absolute path to directory for service, in quotes]> SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth +OptRenegotiate +CompatEnvVars SSLVerifyClient require SSLVerifyDepth 5 SSLRequireSSL SSLRequire %{SSL_CLIENT_I_DN_CN} eq "the CN of the Issuer DN of client's certificate in quotes" and %{SSL_CLIENT_S_DN_O} eq "the O of the Subject DN in client's certificate in quotes" and %{SSL_CLIENT_S_DN_CN} in {"the CN of one or more", "comma delimited Subject DNs in quotes"} </Directory> </pre> <p>An authentication setup for many users with certs from a given CA</p> <pre> <Directory [path to directory where the application lives, in quotes]> SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate +FakeBasicAuth SSLVerifyClient require SSLVerifyDepth 5 SSLRequireSSL SSLRequire %{SSL_CLIENT_I_DN_CN} eq "the CN of Issuer DN of client's certificate in quotes" and %{SSL_CLIENT_S_DN_O} eq "the O of Subject DN in client's certificate in quotes" and %{SSL_CLIENT_S_DN_OU} eq ""the OU of Subject DN in client's certificate in quotes" </Directory> </pre> <p>From: <a href="http://wiki.horde.org/HordeSSLAuthHowTo" rel="nofollow">HordeSSLAuthHowTo</a></p> Two possible scenarios for X509 authentication follow:

A fairly strict authentication setup for one or two administrators

<Directory [absolute path to directory for service, in quotes]>
SSLOptions  +StdEnvVars +ExportCertData +FakeBasicAuth +OptRenegotiate +CompatEnvVars
SSLVerifyClient   require
SSLVerifyDepth    5
SSLRequireSSL
SSLRequire %{SSL_CLIENT_I_DN_CN} eq "the CN of the Issuer DN of client's certificate in quotes"
and %{SSL_CLIENT_S_DN_O} eq "the O of the Subject DN in client's certificate in quotes"
and %{SSL_CLIENT_S_DN_CN} in {"the CN of one or more", "comma delimited Subject DNs in quotes"}
</Directory>

An authentication setup for many users with certs from a given CA

<Directory [path to directory where the application lives, in quotes]>
SSLOptions  +StdEnvVars +ExportCertData +OptRenegotiate +FakeBasicAuth
SSLVerifyClient   require
SSLVerifyDepth    5
SSLRequireSSL
SSLRequire %{SSL_CLIENT_I_DN_CN} eq "the CN of Issuer DN of client's certificate in quotes"
and %{SSL_CLIENT_S_DN_O} eq "the O of Subject DN in client's certificate in quotes"
and %{SSL_CLIENT_S_DN_OU} eq ""the OU of Subject DN in client's certificate in quotes"
</Directory>

From: HordeSSLAuthHowTo

]]> By: Gert http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-46561 Gert Mon, 27 Oct 2008 14:59:36 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-46561 We are setting up an SSL area for our website and face this issue that the link is accessable through various methos causing SSL by passes. I like to gracefully solve this. But the complexity is that the SSL link is not the same as the HTTP links. The certificate is from our website provider. The good link: https://pepr-com.ssl.eatserver.nl/ The alternative way that does not compute to the SSL environment: http://buydirect.pepr.com The browsing method that does nto compute to the SSL environment: http://www.pepr.com/buydirect How do I combine the standard recommendation with the SEO version of it? <pre> SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "google.com" ErrorDocument 403 https://google.com and RewriteRule ^/normal/secure(/.*) https://%{HTTP_HOST}$1 [R=301,L] </pre> I am a bit lost in this area and would ask the proper htaccess content to fix it. The complexity also sits in the fact that SSL is on a different link. We are setting up an SSL area for our website and face this issue that the link is accessable through various methos causing SSL by passes. I like to gracefully solve this. But the complexity is that the SSL link is not the same as the HTTP links. The certificate is from our website provider.

The good link:
https://pepr-com.ssl.eatserver.nl/

The alternative way that does not compute to the SSL environment:
http://buydirect.pepr.com

The browsing method that does nto compute to the SSL environment:
http://www.pepr.com/buydirect

How do I combine the standard recommendation with the SEO version of it?

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "google.com"
ErrorDocument 403 https://google.com
and
RewriteRule ^/normal/secure(/.*) https://%{HTTP_HOST}$1 [R=301,L]

I am a bit lost in this area and would ask the proper htaccess content to fix it. The complexity also sits in the fact that SSL is on a different link.

]]> By: Josiah http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-45948 Josiah Mon, 06 Oct 2008 20:14:46 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-45948 Thanks, this article provided some great info and helped me to get where I wanted to be. I really appreciate it. Thanks, this article provided some great info and helped me to get where I wanted to be. I really appreciate it.

]]> By: George Payne http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-42291 George Payne Wed, 11 Jun 2008 16:15:58 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-42291 I was trying to do something I thought was simple,but have so far been unable to figure out. I wanted set up a temp server just to host a "we are down for the moment" web page. It's pretty easy to set it up so it responds to all http requests with a single page. But I can't figure out how to set it up to answer all HTTPS requests with the same page without actually setting up SSL with a valid cert on my temporary server, which I don't want to do. Any suggestions? A wiser way of going about this? I was trying to do something I thought was simple,but have so far been unable to figure out.

I wanted set up a temp server just to host a “we are down for the moment” web page. It’s pretty easy to set it up so it responds to all http requests with a single page. But I can’t figure out how to set it up to answer all HTTPS requests with the same page without actually setting up SSL with a valid cert on my temporary server, which I don’t want to do.

Any suggestions? A wiser way of going about this?

]]> By: Pete http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-5137 Pete Thu, 19 Apr 2007 18:46:50 +0000 http://www.askapache.com.com/htaccess/apache-ssl-in-htaccess-examples.html#comment-5137 On an Apache 1.3x system, "and" & "or" isn't valid inside an .htaccess file. The use of "&&" and "||" are required instead. So where you list: SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/ It would have to be written as: SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ && \ %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." && \ %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} && \ %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 && \ %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20) || \ %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/ On an Apache 1.3x system, “and” & “or” isn’t valid inside an .htaccess file. The use of “&&” and “||” are required instead.

So where you list:
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/
and %{SSL_CLIENT_S_DN_O} eq “Snake Oil, Ltd.”
and %{SSL_CLIENT_S_DN_OU} in {“Staff”, “CA”, “Dev”}
and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5
and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 )
or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

It would have to be written as:

SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ && \
%{SSL_CLIENT_S_DN_O} eq “Snake Oil, Ltd.” && \
%{SSL_CLIENT_S_DN_OU} in {“Staff”, “CA”, “Dev”} && \
%{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 && \
%{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20) || \
%{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

]]>