Skip to main content

apache 2.2 - Mixing SSL and non-SSL content in an Apache2 virtual host



I have a (hopefully) common scenario for one of my sites that I just can't seem to figure out how to deploy correctly.



I have the following site and directories for example.com:



These need to require SSL:




  • /var/www/example.com/admin


  • /var/www/example.com/order



These need to be non-SSL:




  • /var/www/example.com/maps



These need to support both:





  • /var/www/example.com/css

  • /var/www/example.com/js

  • /var/www/example.com/img



I have two virtual host declarations for example.com in my /sites-available/example.com file; the top one is *:443 the second one is *:80.



Since I have two vhost declarations, if a request comes in on 443, the top virtualhost is used, same with the bottom if it's a port 80 request.




However, I can't seem to enforce my SSL requirements using SSLRequireSSL because I'm assuming a port 80 request to /admin or /order is not even hitting the *:443 vhost.



Should I just Deny All to /order and /admin within the *:80 virtual host so that if you try to request it on 80, you'll get a 403 Forbidden?


Answer



better yet, redirect it to ssl (or back) automatically



in non ssl vhost:



Redirect /admin https://example.com/admin

Redirect /admin https://example.com/order


in ssl vhost (if you really want /maps always to be non-ssl, to save cpu maybe?)



Redirect /maps http://example.com/maps

Comments