I finally found something that seems to work:
SSLCACertificateFile /etc/apache2/ssl/ca.crt
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions -StdEnvVars -ExportCertData -FakeBasicAuth +StrictRequire
<Directory "/var/www/xxx">
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "xxx" and %{SSL_CLIENT_S_DN_OU} eq "xxx"
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteCond %{REMOTE_ADDR} !^192\.168\.5\.5$
RewriteCond %{REMOTE_ADDR} !^10\.8\.5\.4$
RewriteRule ^ - [F]
Require ip 192.168.5.5 10.8.5.4
Satisfy Any
</Directory>
Tell me if there is a better solution
----- Mail original -----
> Hello,
>
> Actually i am using certificate authentication and it works well, but
> i would like to allow some specific ip address to access my site
> without certificate.
>
> I have tried several things with "allow from xxx" and "Satisfy any"
> but i failed to setup this correctly.
>
> The actual configuration:
>
> SSLCACertificateFile /etc/apache2/ssl/ca.crt
> SSLVerifyClient require
> SSLVerifyDepth 1
> SSLOptions -StdEnvVars -ExportCertData -FakeBasicAuth +StrictRequire
>
> <Directory "/var/www/xxx">
> SSLRequireSSL
> SSLRequire %{SSL_CLIENT_S_DN_O} eq "xxx" and %{SSL_CLIENT_S_DN_OU}
> eq "xxx"
> </Directory>
>
> I am using Apache 2.4 on Ubuntu 14.04.
>
> Regards.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|