On Mon, Oct 1, 2012 at 2:28 PM, Mark Montague <mark@xxxxxxxxxxx> wrote: > On October 1, 2012 14:58 , Tom Browder <tom.browder@xxxxxxxxx> wrote: >> On Mon, Oct 1, 2012 at 10:53 AM, Mark Montague <mark@xxxxxxxxxxx> wrote: >>> On October 1, 2012 9:17 , Tom Browder <tom.browder@xxxxxxxxx> wrote: ... >>>> I have found that the configuration doesn't restrict CGI programs at >>>> all as I have them placed ... >>> Then something weird is going on. "SSLVerifyClient require" should >>> prevent >>> any client from accessing the CGI programs unless it has a valid >>> certificate. >> >> But, Mark, does that apply if the CGI programs themselves are NOT >> located in the restricted area? ... > 1. You have URI paths beneath which you require clients to present > certificates in order to not get a HTTP 403 response. > 2. You have CGIs, and you find that clients do not need to present > certificates when they make requests for the CGI. > 3. You say that the CGIs from 2 are not in the area in 1. > 4. You observe that the CGIs from 2 are not protected by the requirements > for 1. This observation is what is expected, due to 3. > > The solution -- as far as Apache HTTP Server is concerned -- is [1] > to move the > CGIs into the area in 1, or, alternatively, [2] >configure area in 2 to also > require clients to present SSL certificates. [3]> If you prefer, you can make client certificates optional for the area in > which you have the CGIs (while still requiring client certificates for area > 1), but [4] then you'll need to modify each one of your CGIs to check to see > whether a client presented a certificate for a given request, and, based on > that plus other details of the request, have each CGI make an authorization > decision regarding whether to respond with the requested content or whether > to respond with an HTTP 403 "Forbidden" error. Configuration [3] is what I have currently have. I considered configuration [1] originally but chose not to because of recommendations to get CGI programs out of the DocumentRoot area. The solution in [4] is what I'm working on at the moment. > If this doesn't answer your question, then I'm not clear on what you are > actually asking, and maybe someone else can respond better. That sums it up perfectly, and I appreciate the analysis. Given a choice of configurations [1] and [3], which would you choose? [1] would be easiest for maintenance, but some might not like the CGIs under DocumentRoot [3] might be better practice, but would require more attention (e.g., scripts to check that all CGIi programs have the necessary checks of SSL certificates--that's what I'm working on) Thanks, Mark. Best regards, -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|