Re: Authentication with certificates only of clients on untrusted hosts
On Wed, May 31, 2000 at 09:15:31AM -0600, Joel Smith wrote: I need the local users to use HTTPS also, since they will be authenticating with username/password. I don't like stuff flying around in the clear. That's why it's trickier. Is their a directive that says "Require cert unless originating from IP address xxx.xxx.xxx.xxx"? Your idea is similar to the different virtual host solution I proposed. i.e. give one url to internal people, another to external, and the internal vhost will only talk to LAN users, the external will require a cert, but since our whole company is passing around intranet URLs all the time, it's not practical to train users to send both urls, or for people to figure out why a given URL isn't working for them. I wan one host, https, that can decide if a cert is needed to authenticate based on originating IP address. Ah, I missed the part about using https locally - that changes my suggestion a bit. You could make it real simple by giving your machine two ip adresses amd making two https virtual hosts - one accepting local connections without certs and the other requiring certs. Alternatively you could set up something based on SSLVerifyClient optional (http://www.modssl.org/docs/2.6/ssl_reference.html#ToC17) which will give the clients an option of presenting a cert and then with SSLRequire handle the different cases about ip address and wether to require a client cert. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Authentication with certificates only of clients on untrusted hosts
On Tue, May 30, 2000 at 02:41:50PM -0600, Joel Smith wrote: Hi, I've read chapter 5 of the modssl docs (the section on Client Authentication and Access Control), but can find quite what I'm looking for. I'm trying to find an easy way to require certificate based authentication to apache only from machines outside our firewall, whereas, those within can authenticate with a username/password pair. I've done this easily enough to qmail with the TLS patch and to imaps via stunnel. If I could get apache w/ modssl to do the same, I'd be set. I don't want to make two different areas of the site (like the "/secure/area" described in the docs) Anyone have a good idea? I suppose potentially I could have a virtual host which those outside could point to, and another inside, but I'd rather not. Users are so hard to train. :-) I might be missing what you're trying to do - but if I'm reading this right, then all you want to do is to allow plain http access from one location and require SSL + client certs from all other ip's? Then it really isn't that hard at all - just make Apache listen on plain HTTP and limit access to that based on ip, and then also make an HTTPS/ client cert protected virtual host that just has the same DocumentRoot. You can then choose to let HTTPS users enter their passwords as they would with plain HTTP or you could use SSLOptions +FakeBasicAuth (see http://www.modssl.org/docs/2.6/ssl_reference.html#ToC21). Alternatively you could set up a solution like: http:[EMAIL PROTECTED] vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Authentication with certificates only of clients on untrusted hosts
On Tue, May 30, 2000 at 02:41:50PM -0600, Joel Smith wrote: I've read chapter 5 of the modssl docs (the section on Client Authentication and Access Control), but can find quite what I'm looking for. I'm trying to find an easy way to require certificate based authentication to apache only from machines outside our firewall, whereas, those within can authenticate with a username/password pair. I've done this easily enough to qmail with the TLS patch and to imaps via stunnel. If I could get apache w/ modssl to do the same, I'd be set. I don't want to make two different areas of the site (like the "/secure/area" described in the docs) Anyone have a good idea? I suppose potentially I could have a virtual host which those outside could point to, and another inside, but I'd rather not. Users are so hard to train. :-) Mads Toftum wrote: I might be missing what you're trying to do - but if I'm reading this right, then all you want to do is to allow plain http access from one location and require SSL + client certs from all other ip's? Then it really isn't that hard at all - just make Apache listen on plain HTTP and limit access to that based on ip, and then also make an HTTPS/ client cert protected virtual host that just has the same DocumentRoot. You can then choose to let HTTPS users enter their passwords as they would with plain HTTP or you could use SSLOptions +FakeBasicAuth (see http://www.modssl.org/docs/2.6/ssl_reference.html#ToC21). Alternatively you could set up a solution like: http:[EMAIL PROTECTED] I need the local users to use HTTPS also, since they will be authenticating with username/password. I don't like stuff flying around in the clear. That's why it's trickier. Is their a directive that says "Require cert unless originating from IP address xxx.xxx.xxx.xxx"? Your idea is similar to the different virtual host solution I proposed. i.e. give one url to internal people, another to external, and the internal vhost will only talk to LAN users, the external will require a cert, but since our whole company is passing around intranet URLs all the time, it's not practical to train users to send both urls, or for people to figure out why a given URL isn't working for them. I wan one host, https, that can decide if a cert is needed to authenticate based on originating IP address. Let me see if I understand the solution based on the post to the modperl list. We give people a URL to a machine that is proxying trafic. That machine checks the IP address, then based on whether they originate from the outside or the inside, it redirects them to a site which does or doesn't require a cert. Is that it? I guess that would work too. I'd still rather be able to do it with a directive in the conf file on a singe vhost. Later, Joel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Authentication with certificates only of clients on untrusted hosts
Hi, I've read chapter 5 of the modssl docs (the section on Client Authentication and Access Control), but can find quite what I'm looking for. I'm trying to find an easy way to require certificate based authentication to apache only from machines outside our firewall, whereas, those within can authenticate with a username/password pair. I've done this easily enough to qmail with the TLS patch and to imaps via stunnel. If I could get apache w/ modssl to do the same, I'd be set. I don't want to make two different areas of the site (like the "/secure/area" described in the docs) Anyone have a good idea? I suppose potentially I could have a virtual host which those outside could point to, and another inside, but I'd rather not. Users are so hard to train. :-) TIA, Joel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
