On Tue, 17 Dec 2002 15:07:48 -0500 (EST) <tallison@tacocat.net> wrote: > > I'm somewhat confused about the configuration of apache and > > apache-ssl. I noticed that by default they both share the same > > document root, server root, and run under the same system user. I > > read about the different methods of authentication on the apache > > site, as well as.htaccess files, but didn't see a way to restrict > > access of certain pages to a secure connection only. Am I missing > > something or should I be setting up apache and apache-ssl to have > > separate document roots, server roots, and system users? > > > > apache-ssl doesn't provide access restrictions. It provides encrypted > data. > > You can still access all the web pages under apache-ssl, but no one > can sneak in and steal your information (credit cards) from what you > POST to the server. > If you are looking for access restrictions, then .htaccess is a start. > > Not having the docs in front of me, I have to venture a guess that > there is a different configuration for http and https document roots > that you have to set up. Thanks, Sean and tallison. Sorry, I do realize that apache-ssl doesn't secure information by default, but requiring basic authentication over ssl using a .htaccess does, and that is the reason I was asking. Is there really any reason for the apache and apache-ssl packages to default to using the same server root, document root and system user? It would seem that there would be more people wanting them as separate pages and sites for security purposes that they would default to being different, and those that want them alike can make them alike. Shouldn't a bug report be filed against one or both packages for this? Thanks again, Jacob ----- GnuPG Key: 1024D/16377135 In a world without fences, who needs Gates? http://www.linux.org/
Attachment:
pgpWwBnmxiMDb.pgp
Description: PGP signature