iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)
Configuring for Secure Transport
iTP Secure WebServer System Administrator’s Guide—522659-001
4-28
Controlling Access and Privacy
Controlling Access and Privacy
With SSL and PCT, all connections between a web client and the server are encrypted. A
web client can verify the server’s identity by using the server’s public-key certificate. As
described previously, you also can request or require a web client to authenticate itself to
the server.
To control server access and privacy, you can:
•
Specify Region commands to control server responses
•
Use SSL and PCT variables to access information within CGI programs
Specifying Content Access Using the Region Command
You use the Region directive’s RequireSecureTransport command to mandate
that only SSL and/or PCT connections can access particular regions of content. For
example, if you need to protect all your secret recipes from eavesdropping, you could
use the RequireSecureTransport command as follows:
Region /recipes/* {
RequireSecureTransport
}
In this example, all requests for objects in the /recipes region on the server must be
made using SSL or PCT.
You can further restrict access by using the -auth option of the
RequireSecureTransport
command to require that client authentication occurs,
as in this example:
Region /recipes/* {
RequireSecureTransport -auth
}
In this example, only clients that have been authenticated using SSL or PCT are allowed
access to objects in the /recipes/top-secret region on the server. (For a full description of
the Region command, see Region
on page A-39.)
You also can use CGI environment variables in Region commands. All security-related
CGI variables are available in Region commands. For example:
The following command allows access only to clients using keys 128 bits long:
Region /* {
if {$HTTPS_KEYSIZE != 128} {Deny}
}