What do you think about SSL for authentication only? Wouldn't it be a good idea to redirect all /manage urls to the 443-port? I only need SSL for the authentication. I think there should be a possibility to let Apache look at the url, and if there is a /manage string, it would redirect it to the virtual SSL-server. After this, encryption is not needed anymore and it can go on at the unencrypted virtual server. If I only would know how to look at the url with regular expressions ... I think redirecting would work with ProxyPass or Rewrite. Did I miss something? Can anyboldy help me? _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
On Wed, Aug 01, 2001 at 06:48:42PM +0000, Stephan Goeldi wrote:
I only need SSL for the authentication. I think there should be a possibility to let Apache look at the url, and if there is a /manage string, it would redirect it to the virtual SSL-server. After this, encryption is not needed anymore and it can go on at the unencrypted virtual server.
We're working on a restricted-access site here where we'll have lots of usernames/passwords flying around without using the ZMI. So while intercepting /manage URLs might work in your case, it wouldn't catch every potential object that might require authentication. Also, consider the case of adding new users into your acl_users folder: did you just send a username and password combination over the network in plaintext while you were creating that user? Was there a /manage anywhere in the transaction for Apache to intercept and rewrite? -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
participants (2)
-
Mike Renfro -
Stephan Goeldi