You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Milan Andric <ma...@eecs.berkeley.edu> on 2004/03/23 19:18:44 UTC

[users@httpd] Satisfy Any and SSLRequireSSL

Hi, I'm trying to use the satisfy any directive to restrict a resource by
username/password or domain.  Also, I'd like to require SSL connections to
secure the passwords better.  I thought I had it working but was mistaken and
now i'm trying to trace my steps but don't see anything wrong with my setup and
have spent hours re-tweaking, searching maillists,  to no avail. running apache
2.0.47 on solaris 8.

here's my .htaccess file :

SSLRequireSSL

Order allow,deny
Allow from <hostname>

AuthType        Basic
AuthName        "LDAP"
AuthLDAPURL "ldaps://<ldap string>?uid?one"
Require         valid-user

Satisfy Any

The Directory is configured as default :

<Directory /home/path/public_html>
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

only when i remove Satisfy Any the SSLRequireSSL takes effect. I
also tested SSLOptions +StrictRequire to several location in my config, and
adding AllowOverride All, or AuthLDAPAuthoritative off, but none of it made
any difference. 

Any other suggestions how i can debug? 

thanks!

-- 
Milan



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Satisfy Any and SSLRequireSSL

Posted by Milan Andric <ma...@eecs.berkeley.edu>.

well, i also found some other weirdness: SSLRequireSSL seems to work on-site
but not offsite. 

ie. when apache does domain auth like, allow cs.berkeley.edu, SSLRequireSSL
sticks, but offsite , AuthType Basic, apache seems to ignore it.  

where should i look for the problem .. mod_ssl? or mod_auth_ldap?

thanks for any tips.

On Tue, Mar 23, 2004 at 10:18:44AM -0800, Milan Andric wrote:
> 
> Hi, I'm trying to use the satisfy any directive to restrict a resource by
> username/password or domain.  Also, I'd like to require SSL connections to
> secure the passwords better.  I thought I had it working but was mistaken and
> now i'm trying to trace my steps but don't see anything wrong with my setup and
> have spent hours re-tweaking, searching maillists,  to no avail. running apache
> 2.0.47 on solaris 8.
> 
> here's my .htaccess file :
> 
> SSLRequireSSL
> 
> Order allow,deny
> Allow from <hostname>
> 
> AuthType        Basic
> AuthName        "LDAP"
> AuthLDAPURL "ldaps://<ldap string>?uid?one"
> Require         valid-user
> 
> Satisfy Any
> 
> The Directory is configured as default :
> 
> <Directory /home/path/public_html>
>     AllowOverride FileInfo AuthConfig Limit Indexes
>     Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
>     <Limit GET POST OPTIONS PROPFIND>
>         Order allow,deny
>         Allow from all
>     </Limit>
>     <LimitExcept GET POST OPTIONS PROPFIND>
>         Order deny,allow
>         Deny from all
>     </LimitExcept>
> </Directory>
> 
> only when i remove Satisfy Any the SSLRequireSSL takes effect. I
> also tested SSLOptions +StrictRequire to several location in my config, and
> adding AllowOverride All, or AuthLDAPAuthoritative off, but none of it made
> any difference. 
> 
> Any other suggestions how i can debug? 
> 
> thanks!
> 
> -- 
> Milan
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

-- 
Milan

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org