httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Maeyhieux <>
Subject [users@httpd] SSL authentication by clients certificates or by IP
Date Thu, 14 Mar 2013 11:43:02 GMT
Hello everyone !

   My purpose is simple:

I want a unique SSL vhost that permit two way to access the website:
a) People from specific IP could access the content
b) People with a valid client certificate could access the content

I know how to achieve each access way but not both in the same time.
How could I write a vhost to accept connection from specifics IP and
from people with a valide client certificates ?


My actual vhost that permit only client certificates but don't accept
specific IP.

<VirtualHost x.x.x.x:443>
        SSLEngine on

        SSLCertificateFile /etc/httpd/conf/my-ca/
        SSLCertificateKeyFile /etc/httpd/conf/my-ca/
        SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
        SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem

        SSLProtocol -SSLv2 -SSLv3 +TLSv1
        SSLHonorCipherOrder on
        DocumentRoot /var/www/htdocs

        ErrorLog  /var/logs/ssl_error_log
        CustomLog /var/logs/ssl_access_log combined

        <Location />
                # Note that SSLVerifyClient optional brings MS IE incompatibility
                SSLVerifyClient optional
                SSLVerifyDepth 5
                SSLOptions OptRenegotiate
                SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", "A.B.C.D") \
                           or ( %{SSL_CLIENT_S_DN_O}  eq "MyCompany" and %{SSL_CLIENT_S_DN_OU}
eq "MySection" )


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message