Hello everyone !
My purpose is simple:
I want a unique SSL vhost that permit two way to access the website:
a) People from specific IP could access the content
b) People with a valid client certificate could access the content
I know how to achieve each access way but not both in the same time.
How could I write a vhost to accept connection from specifics IP and
from people with a valide client certificates ?
Zentoo
My actual vhost that permit only client certificates but don't accept
specific IP.
<VirtualHost x.x.x.x:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
SSLProtocol -SSLv2 -SSLv3 +TLSv1
SSLHonorCipherOrder on
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
ServerName www.toto.com
DocumentRoot /var/www/htdocs
ErrorLog /var/logs/ssl_error_log
CustomLog /var/logs/ssl_access_log combined
<Location />
SSLRequireSSL
# Note that SSLVerifyClient optional brings MS IE incompatibility
SSLVerifyClient optional
SSLVerifyDepth 5
SSLOptions OptRenegotiate
SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", "A.B.C.D") \
or ( %{SSL_CLIENT_S_DN_O} eq "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
</Location>
</VirtualHost>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|