Re: [users@httpd] SSL authentication by clients certificates or by IP

Thu, 14 Mar 2013 05:09:26 -0700 

I am not near my computer, so I can't test this, but I believe what you are
looking for is the "Satisfy Any" directive.
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy

- Y

On Thursday, March 14, 2013, Jean-Francois Maeyhieux wrote:

> Hello everyone !
>
>
>    My purpose is simple:
>
> I want a unique SSL vhost that permit two way to access the website:
> a) People from specific IP could access the content
> b) People with a valid client certificate could access the content
>
>
> I know how to achieve each access way but not both in the same time.
> How could I write a vhost to accept connection from specifics IP and
> from people with a valide client certificates ?
>
>
> Zentoo
>
>
>
>
>
> My actual vhost that permit only client certificates but don't accept
> specific IP.
>
>
> <VirtualHost x.x.x.x:443>
>         SSLEngine on
>
>         SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
>         SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
>         SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
>         SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
>
>         SSLProtocol -SSLv2 -SSLv3 +TLSv1
>         SSLHonorCipherOrder on
>         SSLCipherSuite
>
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
>
>         ServerName www.toto.com
>         DocumentRoot /var/www/htdocs
>
>         ErrorLog  /var/logs/ssl_error_log
>         CustomLog /var/logs/ssl_access_log combined
>
>         <Location />
>                 SSLRequireSSL
>                 # Note that SSLVerifyClient optional brings MS IE
> incompatibility
>                 SSLVerifyClient optional
>                 SSLVerifyDepth 5
>                 SSLOptions OptRenegotiate
>                 SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U",
> "A.B.C.D") \
>                            or ( %{SSL_CLIENT_S_DN_O}  eq "MyCompany" and
> %{SSL_CLIENT_S_DN_OU} eq "MySection" )
>         </Location>
>
> </VirtualHost>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org <javascript:;>
> For additional commands, e-mail: users-h...@httpd.apache.org<javascript:;>
>
>

-- 
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.

Reply via email to