On Fri, Jun 16, 2017 at 1:59 AM, Darren S. <phatbuckett@xxxxxxxxx> wrote:
> Greetings,
>
> Running Apache 2.4.7 and current configuration limiting access to a
> directory to only clients that can provide a trusted client certificate.
> Server is SSL host. Would like to modify configuration to allow "local"
> clients (127.0.0.1, etc. as defined by 'Require local' auth provider) to
> access the directory without authenticating with a client certificate. So
> the local host may access the directory without SSL client auth, but all
> others must authenticate with a client certificate or access is forbidden.
> What is the best/proper way to do this?
>
> I'd like to use modern directives (avoiding Allow, Deny, Order etc. from
> mod_access_compat) but I'm not clear how to combine Require related
> directives with mod_ssl options like SSLVerifyClient.
I ended up with this as a test; is this as easy as it should be?
<VirtualHost _default_:443>
ServerName example.com
DocumentRoot /var/www/app
SSLEngine On
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile "/etc/apache2/client-ca.crt"
<Directory /var/www/app/webroot>
SSLVerifyClient optional
SSLVerifyDepth 1
Options -Indexes
AllowOverride all
<RequireAny>
Require ssl-verify-client
Require local
</RequireAny>
</Directory>
</VirtualHost>
--
Darren Spruell
phatbuckett@xxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|