On Tue, May 30, 2000 at 02:41:50PM -0600, Joel Smith wrote: > Hi, > I've read chapter 5 of the modssl docs (the section on Client > Authentication and Access Control), but can find quite what I'm looking > for. I'm trying to find an easy way to require certificate based > authentication to apache only from machines outside our firewall, > whereas, those within can authenticate with a username/password pair. > I've done this easily enough to qmail with the TLS patch and to imaps > via stunnel. If I could get apache w/ modssl to do the same, I'd be > set. I don't want to make two different areas of the site (like the > "/secure/area" described in the docs) Anyone have a good idea? I > suppose potentially I could have a virtual host which those outside > could point to, and another inside, but I'd rather not. Users are so > hard to train. :-) I might be missing what you're trying to do - but if I'm reading this right, then all you want to do is to allow plain http access from one location and require SSL + client certs from all other ip's? Then it really isn't that hard at all - just make Apache listen on plain HTTP and limit access to that based on ip, and then also make an HTTPS/ client cert protected virtual host that just has the same DocumentRoot. You can then choose to let HTTPS users enter their passwords as they would with plain HTTP or you could use SSLOptions +FakeBasicAuth (see http://www.modssl.org/docs/2.6/ssl_reference.html#ToC21). Alternatively you could set up a solution like: http:[EMAIL PROTECTED] vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
