You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gonzalo Morera <gm...@novell.com> on 2011/04/05 11:05:07 UTC
[users@httpd] implement a ssl secured vhost on apache-2.2.10-2.24.5 (SLES11
SP1) with client authentication
Hi all
I'm pretty new to apache and i have an issue trying to accomplish the following. I've searched all over the places and i could not find anything about it so it may not be possible to accomplish it.
Our requirements are:
* Public Access to directory "/data" (No client certificate required)
* Restricted Access to directory "/data/repo" which requires a valid client certificate AND username/password (htaccess).
It seems as this combination of public and restricted access is not possible and it either works for only one of the requirements. The option "SSLVerifyClient require" inside a <Directory>-section is not active, if a global configuration "SSLVerifyClient optional" or "SSLVerifyClient none" is set.
What is needed to meet both requirements in one vhost? or it is not possible at all?
Our current configuration:
<VirtualHost *:443>
# http://www.modssl.org/docs/2.8/ssl_howto.html
ServerName packages.toto.lo
ErrorLog /var/log/apache2/packages_toto_lo_ssl_error_log
TransferLog /var/log/apache2/packages_toto_lo_ssl_access_log
CustomLog /var/log/apache2/packages_toto_lo_ssl_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
LogLevel info
SSLEngine on
# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
# Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Cert
SSLCertificateFile /etc/ssl/certs/packages_toto_lo.crt
# Key
SSLCertificateKeyFile /etc/ssl/certs/packages_toto_lo.key
# Zwischenzertifikat/Intermediate Cert
SSLCACertificateFile /etc/ssl/certs/packages_toto_lo.ca-bundle
#SSLOptions +OptRenegotiate +StdEnvVars +ExportCertData
SSLOptions +OptRenegotiate +StdEnvVars
# / soll auch ohne Client Certificate gehen
SSLVerifyClient require
## Client settings
SSLCACertificatePath "/etc/ssl/certs/CA"
DocumentRoot "/data"
<Directory "/data">
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
allow from all
</Directory>
Alias /repo /data/repo
<Location /repo>
SSLRequireSSL
SSLOptions +StrictRequire +ExportCertData
#ein gueltiges zertifikat muss zum verbindungsaufbau praesentiert werden
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_S_DN_Email} eq "hh@toto.lo" \
or %{SSL_CLIENT_S_DN_Email} eq "ff@toto.lo" \
SetEnv REMOTE_USER ${SSL_CLIENT_S_DN_CN}
SSLUserName SSL_CLIENT_S_DN_CN
Options Indexes FollowSymLinks MultiViews
Order deny,allow
deny from all
Satisfy Any
AuthType Basic
AuthName "repo"
AuthUserFile /etc/apache2/htpasswd
Require valid-user
</Location>
</VirtualHost>
Thanks a lot
Gonzalo
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org