Date: Mon, 15 May 2000 17:44:17 -0400 From: Will Andrews <andrews@technologist.com> To: Steve Price <sprice@hiwaay.net> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: apache SSL question Message-ID: <20000515174417.B96150@argon.blackdawn.com> In-Reply-To: <Pine.OSF.4.21.0005151526200.11024-100000@fly.HiWAAY.net>; from sprice@hiwaay.net on Mon, May 15, 2000 at 04:12:14PM -0500 References: <Pine.OSF.4.21.0005151526200.11024-100000@fly.HiWAAY.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 15, 2000 at 04:12:14PM -0500, Steve Price wrote: > I'm trying to rewrite URLs for a secure area of my website. > In essence if a user tries to access the following URL > > http://www.mymachine.dom/secure/index.html > > then it will be rewritten as this. > > https://www.mymachine.dom/secure/index.html > > Here's what I have in apache.conf. > > <IfDefine SSL> > <Directory /usr/local/share/apache/htdocs/secure> > RewriteEngine On > RewriteCond %{HTTPS} !=on > RewriteRule ^(.*) https://%{HTTP_HOST}/secure/$1 [R] > </Directory> > </IfDefine> > > This appears to work. However I'd like to get a second opinion > on whether this is a good idea. Is there a better way? This should work, but you need to make sure that you don't allow this sort of thing for ALL of the data under /usr/local/share/apache/htdocs/secure, but only the data that can be transferred unencrypted (which is what will happen since you send a http:// request first, then it redirects you to https://). Hopefully that can be restricted to ``index.html'' and other files. Later, -- Will Andrews <andrews@technologist.com> GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000515174417.B96150>