httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Vávra <va...@602.cz>
Subject Re: [users@httpd] SSL authentication by clients certificates or by IP
Date Thu, 14 Mar 2013 13:33:14 GMT
Hello,
  for a) I'd use directives Order, Allow, Deny for Directory
  for b) I'd use
  SSLVerifyClient require
  This options allows only such clients with client certificate iisued 
in the list defined by SSLCACertificateFile

For more filtering by the specific field of cert eg. Common Name set
|SSLOptions ||-ExportCertData
and do the check in a php script.
In ||SSL_CLIENT_CERT| environment variable will be the client cert in 
PEM format. You can parse it by php openssl functions.
This is suitable for manage access via this script. eg. 
.../download.php?file=xxx.avi.

  It is possible there is a way ho to protect the whole content of 
Directory as it the htpasswd, .htaccess does.
  But on page  http://httpd.apache.org/docs/2.2/howto/auth.html I do not 
see it. You should write an own apache module.

Jan.

> Hello everyone !
>
>
>     My purpose is simple:
>
> I want a unique SSL vhost that permit two way to access the website:
> a) People from specific IP could access the content
> b) People with a valid client certificate could access the content
>
>
> I know how to achieve each access way but not both in the same time.
> How could I write a vhost to accept connection from specifics IP and
> from people with a valide client certificates ?
>
>
> Zentoo
>
>
>
>
>
> My actual vhost that permit only client certificates but don't accept
> specific IP.
>
>
> <VirtualHost x.x.x.x:443>
>          SSLEngine on
>
>          SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
>          SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
>          SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
>          SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
>
>          SSLProtocol -SSLv2 -SSLv3 +TLSv1
>          SSLHonorCipherOrder on
>          SSLCipherSuite
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
>          
>          ServerName www.toto.com
>          DocumentRoot /var/www/htdocs
>
>          ErrorLog  /var/logs/ssl_error_log
>          CustomLog /var/logs/ssl_access_log combined
>
>          <Location />
>                  SSLRequireSSL
>                  # Note that SSLVerifyClient optional brings MS IE incompatibility
>                  SSLVerifyClient optional
>                  SSLVerifyDepth 5
>                  SSLOptions OptRenegotiate
>                  SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", "A.B.C.D") \
>                             or ( %{SSL_CLIENT_S_DN_O}  eq "MyCompany" and %{SSL_CLIENT_S_DN_OU}
eq "MySection" )
>          </Location>
>
> </VirtualHost>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


Mime
View raw message