Re: [users@httpd] SSL authentication by clients certificates or by IP

Thu, 14 Mar 2013 06:33:51 -0700 

Hello,
 for a) I'd use directives Order, Allow, Deny for Directory
 for b) I'd use
 SSLVerifyClient require
This options allows only such clients with client certificate iisued in the list defined by SSLCACertificateFile 

For more filtering by the specific field of cert eg. Common Name set
|SSLOptions ||-ExportCertData
and do the check in a php script.

In ||SSL_CLIENT_CERT| environment variable will be the client cert in 
PEM format. You can parse it by php openssl functions.
This is suitable for manage access via this script. eg. 
.../download.php?file=xxx.avi.



 It is possible there is a way ho to protect the whole content of 
Directory as it the htpasswd, .htaccess does.
 But on page  http://httpd.apache.org/docs/2.2/howto/auth.html I do not 
see it. You should write an own apache module.


Jan.


Hello everyone !


    My purpose is simple:

I want a unique SSL vhost that permit two way to access the website:
a) People from specific IP could access the content
b) People with a valid client certificate could access the content


I know how to achieve each access way but not both in the same time.
How could I write a vhost to accept connection from specifics IP and
from people with a valide client certificates ?


Zentoo





My actual vhost that permit only client certificates but don't accept
specific IP.


<VirtualHost x.x.x.x:443>
         SSLEngine on

         SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
         SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
         SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
         SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem

         SSLProtocol -SSLv2 -SSLv3 +TLSv1
         SSLHonorCipherOrder on
         SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL

         
         ServerName www.toto.com

         DocumentRoot /var/www/htdocs

         ErrorLog  /var/logs/ssl_error_log
         CustomLog /var/logs/ssl_access_log combined

         <Location />
                 SSLRequireSSL
                 # Note that SSLVerifyClient optional brings MS IE 
incompatibility
                 SSLVerifyClient optional
                 SSLVerifyDepth 5
                 SSLOptions OptRenegotiate
                 SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", 
"A.B.C.D") \
                            or ( %{SSL_CLIENT_S_DN_O}  eq "MyCompany" and 
%{SSL_CLIENT_S_DN_OU} eq "MySection" )
         </Location>

</VirtualHost>





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

























					Reply via email to