Re: SSL Client Certificates and CGI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On October 1, 2012 15:47 , Tom Browder <tom.browder@xxxxxxxxx> wrote:

The solution -- as far as Apache HTTP Server is concerned -- is
[1] > to move the

CGIs into the area in 1, or, alternatively,

[2] >configure area in 2 to also

require clients to present SSL certificates.

[3]> If you prefer, you can make client certificates optional for the area in

which you have the CGIs (while still requiring client certificates for area
1), but

[4] then you'll need to modify each one of your CGIs to check to see

whether a client presented a certificate for a given request, and, based on
that plus other details of the request, have each CGI make an authorization
decision regarding whether to respond with the requested content or whether
to respond with an HTTP 403 "Forbidden" error.

Configuration [3] is what I have currently have.  I considered
configuration [1] originally but chose not to because of
recommendations to get CGI programs out of the DocumentRoot area.  The
solution in [4] is what I'm working on at the moment.
Given this, I would go with [2] unless there is a reason against it. It keeps the CGI programs out of the DocumentRoot area, while preserving the requirement for client certificates. The only reason I could see to not do [2] would be if the CGIs also need to be accessed by clients that do not have certificates. 




If this doesn't answer your question, then I'm not clear on what you are
actually asking, and maybe someone else can respond better.

That sums it up perfectly, and I appreciate the analysis.

Given a choice of configurations [1] and [3], which would you choose?

[1] would be easiest for maintenance, but some might not like the CGIs
under DocumentRoot

[3] might be better practice, but would require more attention (e.g.,
scripts to check that all CGIi programs have the necessary checks of
SSL certificates--that's what I'm working on)
Just between these two? Modifying the CGIs is only practical if there are relatively few of them.
[1] is not bad, per se. The only reason to have CGIs outside of the DocumentRoot directory is to enforce separation between static and dynamic content (so that misconfigurations are a little less likely to result in disclosure of the code for CGI scripts, which may contain passwords or other details about your servers that you would not want getting out). The Apache HTTP Server documentation contains examples of serving CGIs from underneath DocumentRoot and also user home directories: https://httpd.apache.org/docs/2.4/howto/cgi.html 

--
  Mark Montague
  mark@xxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux