When SSL directives takes effect

Solution 1:

Welcome to the world of Apache! The first lesson is to learn how to read the excellent documentation. In the Apache documentation, every directive has a context section that indicates where in the server's configuration files the directive is legal. It can be found right below the Syntax: and Default: lines.

server config This means that the directive may be used in the server configuration files (e.g., httpd.conf), but not within any <VirtualHost> or <Directory> containers. It is not allowed in .htaccess files at all.

virtual host This context means that the directive may appear inside <VirtualHost> containers in the server configuration files.

directory A directive marked as being valid in this context may be used inside <Directory>, <Location>, <Files>, <If>, and <Proxy> containers in the server configuration files, subject to the restrictions outlined in Configuration Sections.

.htaccess If a directive is valid in this context, it means that it can appear inside per-directory .htaccess files. It may not be processed, though depending upon the overrides currently active.

With SSLEngine, SSLCertificateFile, SSLCertificateKeyFile the contexts are server config & virtual host. This means you could specify them for the whole server and also override this default configuration per <VirtualHost>.

The SSLRequireSSL Directive on the other hand is legal in directory & .htaccess contexts. This means you can, by placing this in a directory, specify that non-TLS connections shouldn't be allowed even if there exists a HTTP alone virtual hosts that would otherwise serve this directory.

However, this day and age you should protect everything with TLS, making SSLRequireSSL needless. Redirect all HTTP to HTTPS & enforce it by a HTTP Strict Transport Security (HSTS) policy (RFC 6797).