Entry
What is the most secure SSL settings?
Jan 9th, 2007 05:15
Apache Dude, http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html
SSL Redirect Method (doesn't require mod_rewrite!)
SSLOptions +StrictRequire forces forbidden access (403) when
SSLRequireSSL or SSLRequire decide access should be forbidden. Usually
where a Satisfy Any directive is used, this denial of access is
overridden. For strict access restriction you can use SSLRequireSSL
and/or SSLRequire in combination with an SSLOptions +StrictRequire Then
an additional Satisfy Any has no chance once mod_ssl has decided to deny
access.
SSLRequireSSL forbids access unless HTTP over SSL (i.e. HTTPS) is
enabled for the current connection.
SSLRequire forbids access unless HTTP_HOST matches your SSL certificate
(in this case, the certificate is for askapache.com not www.askapache.com).
If either of those 2 checks fail (403), then the ErrorDocument directive
uses a 302 to redirect the browser to https://askapache.com.
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "askapache.com"
ErrorDocument 403 https://askapache.com
Note: Checking for the correct HTTP_HOST fixes the problem with Basic
Authentication asking for the username/password twice, and also fixes
security errors about your SSL certificate.
Alternative to above method (doesn't require mod_ssl!)
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
ErrorDocument 403 https://askapache.com
or
RewriteCond %{HTTPS} !=on
RewriteRule .*$ https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
NOTE: The HTTPS variable is always present, even if mod_ssl isn’t
loaded! This is useful if a non-SSL server is redirecting to a different
SSL-enabled server.
Redirect everything served on port 80 to SSL
RewriteCond %{SERVER_PORT} ^80$
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [QSA,R=301,L]
Redirecting to SSL or non-SSL using relative URIs
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [QSA,R=302,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [QSA,R=302,L]
