httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Chandler <a...@chandlerfamily.org.uk>
Subject [users@httpd] Authentication with Certificates
Date Tue, 10 Jan 2006 17:56:51 GMT
I have an apache2 web server delivering static content and front ending tomcat 
which delivers dynamic content.  It can do this because all static URLs are 
of a defined form (eg location/*.css or location/*.jpg), and I use JKMount 
and JKUnmount directives to separate out the content types.

I currently use basic authentication soley on apache to limit access to my 
family to one of the dynamic applications - based on the use of <location> 
directives. Tomcat does not get involved in any of the security management.

I am planning the introduction of a private application (financial management) 
which I want to put stronger access controls into by limiting access to users 
(ie only me) who have a certificate directly signed by my ca (which is also 
me).  This will of course run over https as the data returned is also 
sensitive. (at least on the external web site - I have an intranet within the 
home where I could use ordinary http - dependent on the answers to the 
questions below)

It seems to me, that I could also minimally improve security on my family only 
application, by requiring my family also to have (different) certificates 
also signed by me.  But that they would not need https access to the 
applications

I am confused by the manual as to exactly what protocols, and exactly what 
ports are used to 

a) verify the client intially when an SSLVerifyClient is within a <location> 
directive

b) whether the ongoing communication once the client is verified uses which 
protocol and which port.

The reason I need to know, is that I currently map port 443 to a completely 
different space, mapping over an internal virtual host to support webmail. 

Can someone give me a clear summary of this?

-- 
Alan Chandler
http://www.chandlerfamily.org.uk
Open Source. It's the difference between trust and antitrust.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message