> On Tue, May 30, 2000 at 02:41:50PM -0600, Joel Smith wrote: > > I've read chapter 5 of the modssl docs (the section on Client > > Authentication and Access Control), but can find quite what I'm looking > > for. I'm trying to find an easy way to require certificate based > > authentication to apache only from machines outside our firewall, > > whereas, those within can authenticate with a username/password pair. > > I've done this easily enough to qmail with the TLS patch and to imaps > > via stunnel. If I could get apache w/ modssl to do the same, I'd be > > set. I don't want to make two different areas of the site (like the > > "/secure/area" described in the docs) Anyone have a good idea? I > > suppose potentially I could have a virtual host which those outside > > could point to, and another inside, but I'd rather not. Users are so > > hard to train. :-) Mads Toftum wrote: > I might be missing what you're trying to do - but if I'm reading this > right, then all you want to do is to allow plain http access from one > location and require SSL + client certs from all other ip's? > Then it really isn't that hard at all - just make Apache listen on plain > HTTP and limit access to that based on ip, and then also make an HTTPS/ > client cert protected virtual host that just has the same DocumentRoot. > You can then choose to let HTTPS users enter their passwords as they would > with plain HTTP or you could use SSLOptions +FakeBasicAuth > (see http://www.modssl.org/docs/2.6/ssl_reference.html#ToC21). > Alternatively you could set up a solution like: > >http:[EMAIL PROTECTED] I need the local users to use HTTPS also, since they will be authenticating with username/password. I don't like stuff flying around in the clear. That's why it's trickier. Is their a directive that says "Require cert unless originating from IP address xxx.xxx.xxx.xxx"? Your idea is similar to the different virtual host solution I proposed. i.e. give one url to internal people, another to external, and the internal vhost will only talk to LAN users, the external will require a cert, but since our whole company is passing around intranet URLs all the time, it's not practical to train users to send both urls, or for people to figure out why a given URL isn't working for them. I wan one host, https, that can decide if a cert is needed to authenticate based on originating IP address. Let me see if I understand the solution based on the post to the modperl list. We give people a URL to a machine that is proxying trafic. That machine checks the IP address, then based on whether they originate from the outside or the inside, it redirects them to a site which does or doesn't require a cert. Is that it? I guess that would work too. I'd still rather be able to do it with a directive in the conf file on a singe vhost. Later, Joel ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
