Hi all

I'm pretty new to apache and i have an issue trying to accomplish the 
following. I've searched all over the places and i could not find anything 
about it so it may not be possible to accomplish it.

Our requirements are: 
* Public Access to directory "/data" (No client certificate required)
* Restricted Access to directory "/data/repo" which requires a valid client 
certificate AND username/password (htaccess).

It seems as this combination of public and restricted access is not possible 
and it either works for only one of the requirements. The option 
"SSLVerifyClient require" inside a <Directory>-section is not active, if a 
global configuration "SSLVerifyClient optional" or "SSLVerifyClient none" is 
What is needed to meet both requirements in one vhost? or it is not possible at 

Our current configuration:

<VirtualHost *:443>

        # http://www.modssl.org/docs/2.8/ssl_howto.html 

        ServerName packages.toto.lo

        ErrorLog /var/log/apache2/packages_toto_lo_ssl_error_log
        TransferLog /var/log/apache2/packages_toto_lo_ssl_access_log
        CustomLog /var/log/apache2/packages_toto_lo_ssl_log \
                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

        LogLevel info

        SSLEngine on
        # Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
        SSLProtocol all -SSLv2
        # Here, I am allowing only "high" and "medium" security key lengths.
        SSLCipherSuite HIGH:MEDIUM

        # Cert
        SSLCertificateFile /etc/ssl/certs/packages_toto_lo.crt
        # Key
        SSLCertificateKeyFile /etc/ssl/certs/packages_toto_lo.key
        # Zwischenzertifikat/Intermediate Cert
        SSLCACertificateFile /etc/ssl/certs/packages_toto_lo.ca-bundle

        #SSLOptions +OptRenegotiate +StdEnvVars +ExportCertData
        SSLOptions +OptRenegotiate +StdEnvVars
        # / soll auch ohne Client Certificate gehen
        SSLVerifyClient require
        ## Client settings
        SSLCACertificatePath "/etc/ssl/certs/CA"

        DocumentRoot "/data"
        <Directory "/data">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride none
                Order allow,deny
                allow from all

        Alias /repo /data/repo
        <Location /repo>
                SSLOptions +StrictRequire +ExportCertData
                #ein gueltiges zertifikat muss zum verbindungsaufbau 
praesentiert werden
                SSLVerifyClient require
                SSLVerifyDepth  10
                SSLRequire %{SSL_CLIENT_S_DN_Email} eq "h...@toto.lo" \
                or %{SSL_CLIENT_S_DN_Email} eq "f...@toto.lo" \

                SetEnv REMOTE_USER ${SSL_CLIENT_S_DN_CN}
                SSLUserName SSL_CLIENT_S_DN_CN

                Options Indexes FollowSymLinks MultiViews
                Order deny,allow
                deny from all

                Satisfy Any
                AuthType Basic
                AuthName "repo"
                AuthUserFile /etc/apache2/htpasswd
                Require valid-user


Thanks a lot


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to