Ssl – Restrict Apache to only allow access using SSL for some directories

apache-2.2httpsssl

I have an Apache 2.2 server with an SSL certificate hosting several services that should be only access using SSL.

ie: https://myserver.com/topsecret/ should be allowed while http://myserver.com/topsecret/ should be either denied or, ideally, redirected to https.
http://myserver.com/public should not have this restriction, and should work using either http or https.
The decision to allow/deny http is made at the top level directory, and affects all content underneath it.

Is there a directive that can be placed in the Apache config to retrict access in this manner?

Best Answer

The SSLRequireSSL directive is what you're looking for.

Inside your <VirtualHost>, or at the top level if you're not using virtual hosts:

<Directory /topsecret>
  SSLRequireSSL
</Directory>

Or in .htaccess:

SSLRequireSSL

Related Solutions

Iis – How to restrict access to web pages for HTTPS

You can certainly limit a folder/virtual-directory/application in IIS to HTTPS only (HTTP requests will be redirected to HTTPS).

The method depends on the IIS version.

IIS7 and later (for Vista/2008/Win7/2008R2):

In the containing Web Site, ensure SSL is configured (i.e. a HTTPS/SSL binding and certificate are configured).
Select the right location in the folder tree
Use SSL Settings to select "Require SSL".

IIS6 and earlier:

In the properties of the web site configure certificate and SSL port.
In the properties of applicable folder in the Directory Security Tab click on Edit and select Require Secure Channel (SSL)

Apache Access Control – How to Deny from All, Allow from Subnet, but Deny from IP Within Subnet

I haven't tested, but I think you are almost there.

<Location /server-status>
    SetHandler server-status
    Order Allow,Deny
    Deny from  192.168.16.100
    Allow from 192.168.16.0/24
</Location>

Deny from all is not needed. In fact it will screw up because everything will match all, and thus denied (and I think Apache is trying to be smart and do something stupid). I have always found Apache's Order, Allow and Deny directives confusing, so always visualize things in a table (taken from the docs):

Match      | Allow,Deny result   | Deny,Allow result
-------------------------------------------------------
Allow only | Allowed             | Allowed
Deny only  | Denied              | Denied
No match   | Default: Denied     | Default: Allowed
Match both | Final match: Denied | Final match: Allowed

With the above settings:

Requests from 192.168.16.100 get "Match both" and thus denied.
Requests from 192.168.16.12 get "Allow only" and thus allowed.
Requests from 123.123.123.123 get "No match" and thus denied.

Best Answer

Related Solutions

Iis – How to restrict access to web pages for HTTPS

Apache Access Control – How to Deny from All, Allow from Subnet, but Deny from IP Within Subnet

Related Topic