Re: SSL authentication by clients certificates or by IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
 for a) I'd use directives Order, Allow, Deny for Directory
 for b) I'd use
 SSLVerifyClient require
 This options allows only such clients with client certificate iisued in the list defined by SSLCACertificateFile

For more filtering by the specific field of cert eg. Common Name set
SSLOptions -ExportCertData
and do the check in a php script.
In SSL_CLIENT_CERT environment variable will be the client cert in PEM format. You can parse it by php openssl functions.
This is suitable for manage access via this script. eg. .../download.php?file=xxx.avi.

 It is possible there is a way ho to protect the whole content of Directory as it the htpasswd, .htaccess does.
 But on page  http://httpd.apache.org/docs/2.2/howto/auth.html I do not see it. You should write an own apache module.

Jan.

Hello everyone !


   My purpose is simple:

I want a unique SSL vhost that permit two way to access the website:
a) People from specific IP could access the content
b) People with a valid client certificate could access the content


I know how to achieve each access way but not both in the same time.
How could I write a vhost to accept connection from specifics IP and
from people with a valide client certificates ?


Zentoo





My actual vhost that permit only client certificates but don't accept
specific IP.


<VirtualHost x.x.x.x:443>
        SSLEngine on

        SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
        SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
        SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
        SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem

        SSLProtocol -SSLv2 -SSLv3 +TLSv1
        SSLHonorCipherOrder on
        SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
        
        ServerName www.toto.com
        DocumentRoot /var/www/htdocs

        ErrorLog  /var/logs/ssl_error_log
        CustomLog /var/logs/ssl_access_log combined

        <Location />
                SSLRequireSSL
                # Note that SSLVerifyClient optional brings MS IE incompatibility
                SSLVerifyClient optional
                SSLVerifyDepth 5
                SSLOptions OptRenegotiate
                SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", "A.B.C.D") \
                           or ( %{SSL_CLIENT_S_DN_O}  eq "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
        </Location>

</VirtualHost>





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux