Solved

Testing SSL on Apache

Posted on 2002-04-22
24
435 Views
Last Modified: 2010-04-11
When I access my site by typing https etc. i get a message saying i am entering a secure site and when i click logout it says i am leaving a secure site.
However when i am in the site and if i manually delete the s from the https then a http page comes up i dont want people to have access to this because it is outside of the secure area.....I have Apache and tomcat 3 installed with the mod_jk.dll.  i am using openssl and mod_ssl
Please Help!
Thanks
Triga
0
Comment
Question by:trigabert
  • 14
  • 5
  • 4
  • +1
24 Comments
 
LVL 5

Expert Comment

by:BlackDiamond
ID: 6961201
in the .htaccess file for that folder, enter "SSLREQUIRE TRUE"
0
 
LVL 5

Expert Comment

by:BlackDiamond
ID: 6961209
actually, the option you probably want is "SSLREQUIRESSL TRUE".  I can't remember which is which, but set them both.  you should be ok.
0
 

Author Comment

by:trigabert
ID: 6962496
thanks for your reply but i cant find that file
is it in the apache directory?
triga
0
 

Author Comment

by:trigabert
ID: 6962623
thanks for your reply but i cant find that file
is it in the apache directory?
triga
0
 

Author Comment

by:trigabert
ID: 6962625
thanks for your reply but i cant find that file
is it in the apache directory?
triga
0
 
LVL 5

Expert Comment

by:BlackDiamond
ID: 6963176
if it is not there, you can create it.  Call it ".htaccess" and just add that line.
0
 

Author Comment

by:trigabert
ID: 6963638
where do i create it ? in the folder with all of my secure folder which has all of the .jsp files that I want people to be able to access ONLY under a secure connection.

Is it something to do with virtual host in apache httpd.conf file?
i tried setting
SSLEngine off for the folder containing the login page and setting SSLEngine on for my secure folder - this doesn't work though!! HELP

I am using openssl and mod_jk with apache 1.2.24

Thanks
triga
0
 
LVL 5

Expert Comment

by:BlackDiamond
ID: 6963674
That file should go in every directory that you want those options set on.

Here are a couple links that are worth reading on the subject.  The second and third links describe most of the SSL directives that you can use in .htaccess and httpd.conf.

http://apache-server.com/tutorials/ATusing-htaccess.html
http://www.onlamp.com/pub/a/apache/excerpts/chpt13/?page=3
http://httpd.apache.org/docs-2.0/mod/mod_ssl.html
0
 

Author Comment

by:trigabert
ID: 6963802
I created a file called .htaccess and stored it in the folder where all of my jsp files that i need secure are.  i then entered the lines

SSLREQUIRESSL TRUE
SSLREQUIRE TRUE

and then saved it with just these two lines in it.  This didnt work for me.  Is there any other way?

I know i am thick.

Thanks
triga
0
 

Author Comment

by:trigabert
ID: 6963828
I created a file called .htaccess and stored it in the folder where all of my jsp files that i need secure are.  i then entered the lines

SSLREQUIRESSL TRUE
SSLREQUIRE TRUE

and then saved it with just these two lines in it.  This didnt work for me.  Is there any other way?

I know i am thick.

Thanks
triga
0
 

Author Comment

by:trigabert
ID: 6963852
can i paste this into my httpd.conf file

<Directory /some/where/important>
  SSLRequireSSL
</Directory>


and instead of somewhere important just put the folder name


and maybe the path?!
thanks
triga
0
 

Author Comment

by:trigabert
ID: 6963860
can i paste this into my httpd.conf file

<Directory /some/where/important>
  SSLRequireSSL
</Directory>


and instead of somewhere important just put the folder name


and maybe the path?!
thanks
triga
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 5

Expert Comment

by:BlackDiamond
ID: 6964051
You should be able to use the <Directory> directive that you specified.  You will need to restart httpd when you change httpd.conf (you do not need to restart if you change .htaccess files).

My mistake on the syntax, which is probably why the .htaccess file is not working.  The Line should just be "SSLREQUIRESSL".  You do not need to specify TRUE.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6965049
trigabert - stop hitting "refresh" immediately after you post - it makes your post appear again, and this thread commensurately hard to read.  Hit "Back", then "Refresh", if you must.

Have you ever made a .htaccess file work?  Folks also use it to setup passwords per-directory, as well - play around with it, make sure your .htaccess files are being used by apache (you should be able to find many references on how to setup a password on a directory using .htaccess) - once you get that working, remove the password stuff, add BlackDiamonds suggestions, and all should be well.

-Jon
0
 

Author Comment

by:trigabert
ID: 6965064
ok thank you i will paste this into the end of my httpd.conf file

<Directory D:/tomcat/webapps/secure
 SSLRequireSSL
</Directory>

and NOT put it inside the virtual host bit.  is that right?  Will i set up another

<Directory D:/tomcat/webapps/NOTsecure

</Directory>

 and leave out the line SSLRequireSSL? for my unsecure directory.

Sorry to keep asking you!
triga
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6965237
BTW, thanks for not submitting that one twice - I was starting to think I was seeing double hehe...

-Jon
0
 

Author Comment

by:trigabert
ID: 6965298
hee hee i am 87.  i need to see double!

i cant telnet from here for the .htaccess stuff setting up passwords etc. and it sounds too complicated for my feeble brain.  There must be an easier way to get this to work.  Also every now and then when i click submit on a page it redirects out to an unsecure page and then back in!!?  I am about to give up....

triga

hope this doesn't go in twice.  my hands are a bit shaky....here goes...
0
 

Author Comment

by:trigabert
ID: 6965442
This is what is down the end of our httpd.conf file:

SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none

SSLLog logs/SSL.log
SSLLogLevel info


<VirtualHost here.there.ie:80>
#SSLDisable
Port 80
SSLEngine off      
DocumentRoot d:/tomcat/webapps/unsecure
</VirtualHost>
   

<VirtualHost here.there.ie:443>
#SSLEnable
Port 443
SSLEngine On
SSLCertificateFile conf/ssl/here.there.ie.cert
SSLCertificateKeyFile conf/ssl/here.there.ie.key
DocumentRoot d:/tomcat/webapps/secure/
</VirtualHost>

and in the middle of the file doc root is set to:

DocumentRoot d:/tomcat/webapps/secure/

this is still not working!?  Should i customise Apache Functionality at the Directory Level by typing in the following at the bottom of the file....

Thanks
Triga

0
 

Author Comment

by:trigabert
ID: 6966010
i created 2 folders, one secure and one unsecure and created a .htaccess file for the secure folder and typed in SSLREQUIRESSL and this worked except that when i login in it says that it cant find the login servlet.  Where should i put my servlets and should i change anthing in tomcat and/or apache configuration?
Is there anyone out there?
TRIGABERT
0
 

Author Comment

by:trigabert
ID: 6966022
i created 2 folders, one secure and one unsecure and created a .htaccess file for the secure folder and typed in SSLREQUIRESSL and this worked except that when i login in it says that it cant find the login servlet.  Where should i put my servlets and should i change anthing in tomcat and/or apache configuration?
Is there anyone out there?
TRIGABERT
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6967934
Sounds like you are close - once again, may I suggest implementing a simpler test of .htaccess by attempting to set a password on the directory in question?

This will allow you to seperate problems with your SSL config from problems with your .htaccess files, if I understand your problem correctly...

In any case, BlackDiamond gets my vote for most (if not all) of the points here.

-Jon

P.S.  Don't forget to hit "Back" before "Refresh"...  You were looking great for a while, but I seemed to see double on that last post (hehe).  Ultimate respect to you for continuing to compute at age 87 - I wish my grandparents were so well-versed in technology.

0
 

Author Comment

by:trigabert
ID: 6968233
OK i am trying to do that but anything i find on the web to do this keeps talking about telnet and ftp which i know nothing about.  I have my own server and i created a file and called it .htaccess and saved it into my web folder (which i need secure). it contains the following so far..

AuthUserFile /home/administrator/private/.htpasswd
AuthName "You do not have permission to access these files"
AuthType Basic

require valid-user

<Files ".htaccess">
     Order allow,deny
     Deny from all
</Files>
<Files ".htpasswd">
     Order allow,deny
     Deny from all
</Files>

I dont know what to change without having to telnet to my server but i have my server here in fonrt of me?

Sorry to be so annoying..
Trig.

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6969808
No prob - I will post my password-protected config here later this evening (got Tai Chi class shortly) - hopefully this will provide enough info to get password protection working for you - then you can combine your working .htaccess config with BlackDiamond's suggestions.

Cheers,
-Jon
0
 

Accepted Solution

by:
nicola00 earned 100 total points
ID: 6974681
Why dont you use the rewrite rule in apache.  Load the module etc. and add the following

#redirect to https
RewriteCond %{SERVER_PORT}                                !^443$
RewriteRule ^/myfiles(.*)$   https://servername/myfiles$1    [R,L]
RewriteRule ^/~(.*)/securefolder$  https://servername/~$1/securefolder/  [R,L]

just put the files you want viewed through https in a folder within your docroot called securefolder.  This will force to https.  Then there is no need to have to set up htaccess and htpassword files!

Good Luck

N

0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now