|
First of all thanks for your advice. I will check if we can serve all of the contents both in SSL and non SSL. I didnt consider that solution, in fact I was concerned about putting the conversation between client and server back to http when the user requires a page which needs no protection. After all the most important thing should be to ensure that some pages are served only in https and forget about the rest. In fact once the client has established a secure connection, the conversation should go on that way regardless of the pages requested, with no need to get back to http. Anyway I fear our client will not accept this solution, because it is not what they requested. The ideal solution should be to force the user to visit protected pages in https and get back to http for all the rest of the contents. Is there a way to accomplish this ? Do the protected pages need to be on a separate path or it is not necessary ?As regards the number of bits I was referring to 128 bit Verisign certificates. Bye Brian Mearns wrote: On Mon, Mar 30, 2009 at 4:15 PM, Alessandro Fantuzzi <fantuzzi@xxxxxxxxx> wrote:We have a site running on Apache and Tomcat LINUX APACHE 2.0.59 TOMCAT 5.5.20 JVM 1.5 We have to put some pages under SSL, just some, say: https://www.site.com/public/subscribe.jsp https://www.site.com/public/unsubscribe.jsp We will install the 128 bit certificate under Apache Http server. Path /public contains other pages but we want to put under SSL just the ones mentioned before. Is this possible ? Should we create two Vitrual hosts, one for port 80 and one for 443 ? How do we force the user using the correct port, should we create rewrite rules from one Virtual Host to the other ? Thanks in advance[clip] If you want to serve both SSL and non-SSL, then yes, you need two different hosts listening on the two ports as you mentioned. This alone is not enough, of course, just telling apache to listen on 443 does not set up an SSL server, but it is necessary for what you want. Are you actually adverse to serving other content on SSL? In other words, if most pages are available on both SSL and non-SSL, is that okay? If that's the case, you can just serve the same content from both virtual hosts, but add some RequireSSL directives in a <FileMatch>, <Location>, or similar tag for the "secure" pages so that they are only accessible via HTTPS. Creating HTML links to https://... will suffice for getting the user there. On a related note, it seems to me that 128 bits is not a remotely secure key. I can't say for sure, but as I recall, anything under 1024 bits is considered trivial, 2048 or 4096 is better. Hope that helps. -Brian --
Alessandro Fantuzzi - O-one s.r.l.
E-mail: fantuzzi@xxxxxxxxx
Software developer
-------------------------------------------------------------------
Via
Dante Zanichelli, 61 - 42100 Reggio Emilia
Tel. 0522 930078 - Fax. 0522 387947
-------------------------------------------------------------------
Via
Stendhal, 36 - 20144 Milano
Tel 02.42292057 - Fax 02.47770936
-------------------------------------------------------------------
STRICTLY PERSONAL AND CONFIDENTIAL
This message may contain confidential and proprietary material for the
sole use of the intended recipient. Any review or distribution by
others is strictly prohibited. If you are not the intended recipient
please contact the sender and delete all copies. The contents of this
message that do not relate to the official business of our company
shall be understood as neither given nor endorsed by it.
-------------------------------------------------------------------
|
|