On Thu, 2013-03-14 at 14:33 +0100, Jan Vávra wrote:
> Hello,
> for a) I'd use directives Order, Allow, Deny for Directory
> for b) I'd use
> SSLVerifyClient require
> This options allows only such clients with client certificate iisued
> in the list defined by SSLCACertificateFile
>
I just need a valid certificate so i don't use SSLCACertificateFile.
I use "SSLVerifyClient require" too but T've test optional argument in
case that could help me to accept IP client or certificate owner ones.
> For more filtering by the specific field of cert eg. Common Name set
> SSLOptions -ExportCertData
> and do the check in a php script.
> In SSL_CLIENT_CERT environment variable will be the client cert in PEM
> format. You can parse it by php openssl functions.
> This is suitable for manage access via this script.
> eg. .../download.php?file=xxx.avi.
>
I don't need it: I'm checking with the SSLRequire directive the
following field: SSL_CLIENT_S_DN_O, SSL_CLIENT_S_DN_OU.
That does the job.
> It is possible there is a way ho to protect the whole content of
> Directory as it the htpasswd, .htaccess does.
> But on page http://httpd.apache.org/docs/2.2/howto/auth.html I do
> not see it. You should write an own apache module.
>
> Jan.
>
>
> > Hello everyone !
> >
> >
> > My purpose is simple:
> >
> > I want a unique SSL vhost that permit two way to access the website:
> > a) People from specific IP could access the content
> > b) People with a valid client certificate could access the content
> >
> >
> > I know how to achieve each access way but not both in the same time.
> > How could I write a vhost to accept connection from specifics IP and
> > from people with a valide client certificates ?
> >
> >
> > Zentoo
> >
> >
> >
> >
> >
> > My actual vhost that permit only client certificates but don't accept
> > specific IP.
> >
> >
> > <VirtualHost x.x.x.x:443>
> > SSLEngine on
> >
> > SSLCertificateFile /etc/httpd/conf/my-ca/www.toto.com.crt
> > SSLCertificateKeyFile /etc/httpd/conf/my-ca/www.toto.com.key
> > SSLCACertificateFile /etc/httpd/conf/my-ca/myCA.crt
> > SSLCARevocationFile /etc/httpd/conf/my-ca/myCA-crl.pem
> >
> > SSLProtocol -SSLv2 -SSLv3 +TLSv1
> > SSLHonorCipherOrder on
> > SSLCipherSuite
> > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-RC4-SHA:RC4-SHA:TLSv1:!AES128:!3DES:!CAMELLIA:!SSLv2:HIGH:MEDIUM:!MD5:!LOW:!EXP:!NULL:!aNULL
> >
> > ServerName www.toto.com
> > DocumentRoot /var/www/htdocs
> >
> > ErrorLog /var/logs/ssl_error_log
> > CustomLog /var/logs/ssl_access_log combined
> >
> > <Location />
> > SSLRequireSSL
> > # Note that SSLVerifyClient optional brings MS IE incompatibility
> > SSLVerifyClient optional
> > SSLVerifyDepth 5
> > SSLOptions OptRenegotiate
> > SSLRequire %{REMOTE_ADDR} in ( "X.Y.Z.T", "X.Y.Z.U", "A.B.C.D") \
> > or ( %{SSL_CLIENT_S_DN_O} eq "MyCompany" and %{SSL_CLIENT_S_DN_OU} eq "MySection" )
> > </Location>
> >
> > </VirtualHost>
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|