httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gonzalo Morera" <gmor...@novell.com>
Subject [users@httpd] implement a ssl secured vhost on apache-2.2.10-2.24.5 (SLES11 SP1) with client authentication
Date Tue, 05 Apr 2011 09:05:07 GMT
Hi all

I'm pretty new to apache and i have an issue trying to accomplish the following. I've searched
all over the places and i could not find anything about it so it may not be possible to accomplish
it.

Our requirements are: 
* Public Access to directory "/data" (No client certificate required)
* Restricted Access to directory "/data/repo" which requires a valid client certificate AND
username/password (htaccess).

It seems as this combination of public and restricted access is not possible and it either
works for only one of the requirements. The option "SSLVerifyClient require" inside a <Directory>-section
is not active, if a global configuration "SSLVerifyClient optional" or "SSLVerifyClient none"
is set. 
What is needed to meet both requirements in one vhost? or it is not possible at all?

Our current configuration:

<VirtualHost *:443>

        # http://www.modssl.org/docs/2.8/ssl_howto.html 

        ServerName packages.toto.lo

        ErrorLog /var/log/apache2/packages_toto_lo_ssl_error_log
        TransferLog /var/log/apache2/packages_toto_lo_ssl_access_log
        CustomLog /var/log/apache2/packages_toto_lo_ssl_log \
                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

        LogLevel info

        SSLEngine on
        # Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
        SSLProtocol all -SSLv2
        # Here, I am allowing only "high" and "medium" security key lengths.
        SSLCipherSuite HIGH:MEDIUM
        #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW


        # Cert
        SSLCertificateFile /etc/ssl/certs/packages_toto_lo.crt
        # Key
        SSLCertificateKeyFile /etc/ssl/certs/packages_toto_lo.key
        # Zwischenzertifikat/Intermediate Cert
        SSLCACertificateFile /etc/ssl/certs/packages_toto_lo.ca-bundle

        #SSLOptions +OptRenegotiate +StdEnvVars +ExportCertData
        SSLOptions +OptRenegotiate +StdEnvVars
        # / soll auch ohne Client Certificate gehen
        SSLVerifyClient require
        ## Client settings
        SSLCACertificatePath "/etc/ssl/certs/CA"

        DocumentRoot "/data"
        <Directory "/data">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride none
                Order allow,deny
                allow from all
        </Directory>

        Alias /repo /data/repo
        <Location /repo>
                SSLRequireSSL
                SSLOptions +StrictRequire +ExportCertData
                #ein gueltiges zertifikat muss zum verbindungsaufbau praesentiert werden
                SSLVerifyClient require
                SSLVerifyDepth  10
                SSLRequire %{SSL_CLIENT_S_DN_Email} eq "hh@toto.lo" \
                or %{SSL_CLIENT_S_DN_Email} eq "ff@toto.lo" \

                SetEnv REMOTE_USER ${SSL_CLIENT_S_DN_CN}
                SSLUserName SSL_CLIENT_S_DN_CN

                Options Indexes FollowSymLinks MultiViews
                Order deny,allow
                deny from all

                Satisfy Any
                AuthType Basic
                AuthName "repo"
                AuthUserFile /etc/apache2/htpasswd
                Require valid-user
        </Location>

</VirtualHost>

Thanks a lot

Gonzalo



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message