Re: [users@httpd] Re: Access control to allow local clients or remote with SSL client certificate

[Marat Khalili]

Technically it should work, but you may also want to:

1. Check that client belongs to some a organization/unit as specified in 
certificate, see 
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire for 
example. (BTW I don't know if %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ is still 
necessary, but I'd specify it just in case.)


2. Configure revocation list with using SSLCARevocationCheck and 
SSLCARevocationFile (see same page). But be careful to update your CRL 
file and reload your server timely (there's usually a cron job for 
this), or it'll stop accepting any certificates as soon as CRL expires.


Without these changes you are granting access to any certificate you (or 
any other CAs specified in SSLCACertificateFile) ever issued, even to 
unrelated or obsolete ones.


--

With Best Regards,
Marat Khalili

On 16/06/17 12:24, Darren S. wrote:

I ended up with this as a test; is this as easy as it should be?

 ServerName example.com
 DocumentRoot /var/www/app

 SSLEngine On
 SSLCertificateFile /etc/ssl/certs/server.crt
 SSLCertificateKeyFile /etc/ssl/private/server.key
 SSLCACertificateFile "/etc/apache2/client-ca.crt"
 
 SSLVerifyClient optional
 SSLVerifyDepth 1
 Options -Indexes
 AllowOverride all
 
 Require ssl-verify-client
 Require local
 
 





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Access control to allow local clients or remote with SSL client certificate

[Darren S.]

On Fri, Jun 16, 2017 at 1:59 AM, Darren S.  wrote:
> Greetings,
>
> Running Apache 2.4.7 and current configuration limiting access to a
> directory to only clients that can provide a trusted client certificate.
> Server is SSL host. Would like to modify configuration to allow "local"
> clients (127.0.0.1, etc. as defined by 'Require local' auth provider) to
> access the directory without authenticating with a client certificate. So
> the local host may access the directory without SSL client auth, but all
> others must authenticate with a client certificate or access is forbidden.
> What is the best/proper way to do this?
>
> I'd like to use modern directives (avoiding Allow, Deny, Order etc. from
> mod_access_compat) but I'm not clear how to combine Require related
> directives with mod_ssl options like SSLVerifyClient.

I ended up with this as a test; is this as easy as it should be?


ServerName example.com
DocumentRoot /var/www/app

SSLEngine On
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile "/etc/apache2/client-ca.crt"

SSLVerifyClient optional
SSLVerifyDepth 1
Options -Indexes
AllowOverride all

Require ssl-verify-client
Require local




-- 
Darren Spruell
phatbuck...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org