enabling ssl for a subdirectory of a vhost

I have Apache 1.3.17 with mod_ssl. I'm not a real proficient apache
admin just yet, so forgive my if I unintentionally omit some crucial
point, or use the wrong nomenclature. :) I have a vhost which I would
like to add an SSL enabled subdirectory to.

http://my.host.com/dir1
https://my.host.com/dir2

Maybe even have http://my.host.com/dir2 redirect to
https://my.host.com/dir2. But I have no clue how to do it. I tried
adding the SSL directives to the , but that totally didn't
work. (apache wouldn't start), but moving the directives outside of that
made the whole vhost SSL, and screwed up other things that it's already
doing.

--
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main 713.329.9330
Fax 713.460.4051
Mobile 512.789.1962

5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: enabling ssl for a subdirectory of a vhost

>From: Justin Georgeson [mailto:jgeorgeson@unboundtech.com]
>
>I have Apache 1.3.17 with mod_ssl. I'm not a real proficient apache
>admin just yet, so forgive my if I unintentionally omit some crucial
>point, or use the wrong nomenclature. :) I have a vhost which I would
>like to add an SSL enabled subdirectory to.
>
>http://my.host.com/dir1
>https://my.host.com/dir2
>
>Maybe even have http://my.host.com/dir2 redirect to
>https://my.host.com/dir2. But I have no clue how to do it. I tried
>adding the SSL directives to the , but that totally didn't
>work. (apache wouldn't start), but moving the directives
>outside of that made the whole vhost SSL, and screwed up other things
>that it's already doing.

Congratulations, you've already done the hard part of installing mod_ssl and getting it running with certs and so on. All you need now is to set up your configuration and that is easy once you get the hang of it.

The main thing to realise is that HTTPS requests come in on a different port (usually 443) from normal HTTP traffic which uses port 80. Therefore, the simplest thing to do is to create a new port-based virtual host for SSL stuff. Indeed, most SSL directives only work in a virtualhost context (i.e. you can't make them apply in a directory context).

Rather than having an SSL subdirectory of your main site, I would recommend you create a separate SSL VH. Start off with the simplest implementation which is something like this:

# Define the normal HTTP service on port 80


DocumentRoot /home/www/html
...etc.


# Define the SSL service on port 443


DocumentRoot /home/www/html/dir1
SSLEngine on
...rest of SSL directives
...etc.


Now, a request to https://my.host.com/ will go straight to /home/www/html/dir1 under SSL, while http://my.host.com/ will continue to serve /home/www/html on plain HTTP.

There are a couple of snags with this configuration which you'd need to tidy up:

- In the scheme above, /home/www/html/dir1 is still accessible from plain HTTP. A rough-n-ready redirect will help matters (put inside the HTTP-VH):

Redirect /dir1 https://my.host.com/

- for belt-and-braces, force SSL-only in this directory (put inside the HTTP-VH):

SSLRequireSSL


- Be careful also with including things like images in SSL pages if the images are in a non-ssl directory. The browser will usually complain that some of the context is insecure and the user will get a lot of annoying pop-ups. To guard against this, symbolically link the images directory into the SSL directory and then reference it there. E.g. If you have /home/www/html/images, then in /home/www/html/dir1 do:

$ ln -s ../images images

and then in your dir1 pages do: so that the images look like they are under the SSL document root.

This recipe will get you started with SSL. Once you have it running, you can start to play around with other configurations. What you originally requested is possibel, but requires imaginative use of mod_rewrite which is not something you'd want to do on your first apache config :-)

Rgds,

Owen Boyle.








____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

How about making a list FAQ? (was RE: enabling ssl for a subdirec

Great explanation, Owen. I'm keeping it for whenever somebody asks me --for
the upteenth time-- how to do it.

Which set me thinking: The top 20 questions, which take up a lot of traffic
on this list, are really about configuration tips & tricks, and are not
really covered in the www.modssl.org FAQ. Why don't we help Ralph by adding
them to the FAQ? It would help a lot if we do that, and include a link to it
on the subscription confirmation and the list sig.

Ralph, would that be OK with you?

Off the top of my head, I can think of a few Q's that crop up on an
almost daily basis:
- How do I set a a pure-virtual SSL host? (You don't.)
- Well, then how do I set up an SSL host? (A basic 20-line
config, specifying _default_:443 and specificserver:443
VH's)
- How do I force all or a part of my site to be served
exclusively by SSL? (Redirects by core, mod_rewrite and/or
mod_proxy)
- Compiling on different platforms. (This might be the most
difficult part to keep up to date, but some quick ten-or-
twenty liners, culled from correct answers on the list might
be enough.)
- MSIE keepalive strangeness and bug workarounds (global and
agent-specific cipher stuff)
- How do I sign/self-sign my certificate? (That one's already
in the docs; maybe five-line quick answer?)
- How do I set up an SSL->plain HTTP gateway, or vice versa?
(mod_proxy, maybe with help by mod_rewrite, other solutions
such as stunnel)

¿Can anybody think of other high-traffic topics not on the existing FAQ?

I would be able to help on this FAQ by the start of next month. Anybody else
want to chip in?

Cheers... Marco Zamora

> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@swx.com]
> [...]
> >From: Justin Georgeson [mailto:jgeorgeson@unboundtech.com]
> >
> >I have Apache 1.3.17 with mod_ssl. I'm not a real proficient apache
>
> Congratulations, you've already done the hard part of
> installing mod_ssl and getting it running with certs and so
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org