diff options
Diffstat (limited to 'docs/manual/ssl/ssl_howto.html.en')
| -rw-r--r-- | docs/manual/ssl/ssl_howto.html.en | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/docs/manual/ssl/ssl_howto.html.en b/docs/manual/ssl/ssl_howto.html.en index 733025c455..32c891ed34 100644 --- a/docs/manual/ssl/ssl_howto.html.en +++ b/docs/manual/ssl/ssl_howto.html.en @@ -59,7 +59,7 @@ following directives.</p> <ul> <li><a href="#onlystrong">How can I create an SSL server which accepts strong encryption only?</a></li> -<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but +<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but requires a strong cipher for access to a particular URL?</a></li> </ul> @@ -88,8 +88,8 @@ only?</a></h3> in general, but requires a strong ciphers for access to a particular URL?</a></h3> - <p>Obviously, a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts - ciphers to the strong variants, isn't the answer here. However, + <p>Obviously, a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts + ciphers to the strong variants, isn't the answer here. However, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> can be reconfigured within <code>Location</code> blocks, to give a per-directory solution, and can automatically force a renegotiation of the SSL parameters to meet the new configuration. @@ -111,7 +111,7 @@ URL?</a></h3> <ul> <li><a href="#allclients">How can I force clients to authenticate using certificates?</a></li> -<li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a +<li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server?</a></li> <li><a href="#certauthenticate">How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?</a></li> @@ -164,14 +164,14 @@ Intranet website, for clients coming from the Internet?</a></li> matches what you expect. Usually this means checking all or part of the Distinguished Name (DN), to see if it contains some known string. There are two ways to do this, using either <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> or - <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>.</p> - + <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>.</p> + <p>The <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> method is generally required when the certificates are completely arbitrary, or when their DNs have no common fields (usually the organisation, etc.). In this case, you should establish a password database containing <em>all</em> clients allowed, as follows:</p> - + <div class="example"><h3>httpd.conf</h3><pre> SSLVerifyClient none <Directory /usr/local/apache2/htdocs/secure/area> @@ -188,11 +188,11 @@ AuthBasicProvider file AuthUserFile /usr/local/apache2/conf/httpd.passwd Require valid-user </Directory></pre></div> - + <p>The password used in this example is the DES encrypted string "password". - See the <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more + See the <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more information.</p> - + <div class="example"><h3>httpd.passwd</h3><pre> /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA @@ -222,10 +222,10 @@ authentication or client certificates, for access to part of the Intranet website, for clients coming from the Internet? I still want to allow plain HTTP access for clients on the Intranet.</a></h3> - - <p>These examples presume that clients on the Intranet have IPs in the range + + <p>These examples presume that clients on the Intranet have IPs in the range 192.168.1.0/24, and that the part of the Intranet website you want to allow - internet access to is <code>/usr/local/apache2/htdocs/subarea</code>. + internet access to is <code>/usr/local/apache2/htdocs/subarea</code>. This configuration should remain outside of your HTTPS virtual host, so that it applies to both HTTPS and HTTP.</p> |