httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Darren S." <phatbuck...@gmail.com>
Subject [users@httpd] Re: Access control to allow local clients or remote with SSL client certificate
Date Fri, 16 Jun 2017 09:24:03 GMT
On Fri, Jun 16, 2017 at 1:59 AM, Darren S. <phatbuckett@gmail.com> wrote:
> Greetings,
>
> Running Apache 2.4.7 and current configuration limiting access to a
> directory to only clients that can provide a trusted client certificate.
> Server is SSL host. Would like to modify configuration to allow "local"
> clients (127.0.0.1, etc. as defined by 'Require local' auth provider) to
> access the directory without authenticating with a client certificate. So
> the local host may access the directory without SSL client auth, but all
> others must authenticate with a client certificate or access is forbidden.
> What is the best/proper way to do this?
>
> I'd like to use modern directives (avoiding Allow, Deny, Order etc. from
> mod_access_compat) but I'm not clear how to combine Require related
> directives with mod_ssl options like SSLVerifyClient.

I ended up with this as a test; is this as easy as it should be?

<VirtualHost _default_:443>
        ServerName example.com
        DocumentRoot /var/www/app

        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
        SSLCACertificateFile "/etc/apache2/client-ca.crt"
        <Directory /var/www/app/webroot>
                SSLVerifyClient optional
                SSLVerifyDepth 1
                Options -Indexes
                AllowOverride all
                <RequireAny>
                        Require ssl-verify-client
                        Require local
                </RequireAny>
        </Directory>
</VirtualHost>

-- 
Darren Spruell
phatbuckett@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message