On Thu, 2013-03-14 at 14:33 +0100, Jan Vávra wrote: > Hello, > for a) I'd use directives Order, Allow, Deny for Directory > for b) I'd use > SSLVerifyClient require > This options allows only such clients with client certificate iisued > in the list defined by SSLCACertificateFile > I just need a valid certificate so i don't use SSLCACertificateFile. I use "SSLVerifyClient require" too but T've test optional argument in case that could help me to accept IP client or certificate owner ones.
> For more filtering by the specific field of cert eg. Common Name set > SSLOptions -ExportCertData > and do the check in a php script. > In SSL_CLIENT_CERT environment variable will be the client cert in PEM > format. You can parse it by php openssl functions. > This is suitable for manage access via this script. > eg. .../download.php?file=xxx.avi. > I don't need it: I'm checking with the SSLRequire directive the following field: SSL_CLIENT_S_DN_O, SSL_CLIENT_S_DN_OU. That does the job. > It is possible there is a way ho to protect the whole content of > Directory as it the htpasswd, .htaccess does. > But on page http://httpd.apache.org/docs/2.2/howto/auth.html I do > not see it. You should write an own apache module. > > Jan. > > > > Hello everyone ! > > > > > > My purpose is simple: > > > > I want a unique SSL vhost that permit two way to access the website: > > a) People from specific IP could access the content > > b) People with a valid client certificate could access the content > > > > > > I know how to achieve each access way but not both in the same time. > > How could I write a vhost to accept connection from specifics IP and > > from people with a valide client certificates ? > > > > > > Zentoo > > > > > > > > > > > > My actual vhost that permit only client certificates but don't accept > > specific IP. > > > > > > <VirtualHost x.x.x.x:443> > > SSLEngine on > > > > SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt > > SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key > > SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt > > SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem > > > > SSLProtocol -SSLv2 -SSLv3 +TLSv1 > > SSLHonorCipherOrder on > > SSLCipherSuite > > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL > > > > ServerName www.toto.com > > DocumentRoot /var/www/htdocs > > > > ErrorLog /var/logs/ssl_error_log > > CustomLog /var/logs/ssl_access_log combined > > > > <Location /> > > SSLRequireSSL > > # Note that SSLVerifyClient optional brings MS IE > > incompatibility > > SSLVerifyClient optional > > SSLVerifyDepth 5 > > SSLOptions OptRenegotiate > > SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", > > "A.B.C.D") \ > > or ( %{SSL_CLIENT_S_DN_O} eq "MyCompany" and > > %{SSL_CLIENT_S_DN_OU} eq "MySection" ) > > </Location> > > > > </VirtualHost> > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
