• 22/10/2003

mod_ssl: HowTo

  • How can I authenticate only particular clients for a some URLs based on certificates but still allow arbitrary clients to access the remaining parts of the server?    [L]

    The key is to check for various ingredients of the client certficate. Usually this means to check the whole or part of the Distinguished Name (DN) of the Subject. For this two methods exists: The mod_auth based variant and the SSLRequire variant. The first method is good when the clients are of totally different type, i.e. when their DNs have no common fields (usually the organisation, etc.). In this case you’ve to establish a password database containing all clients. The second method is better when your clients are all part of a common hierarchy which is encoded into the DN. Then you can match them more easily.

    The first method:

      /usr/local/apache/conf/httpd.conf  
    
    SSLVerifyClient      none
    
    SSLVerifyClient      require
    SSLVerifyDepth       5
    SSLCACertificateFile conf/ssl.crt/ca.crt
    SSLCACertificatePath conf/ssl.crt
    SSLOptions           +FakeBasicAuth
    SSLRequireSSL
    AuthName             "Snake Oil Authentication"
    AuthType             Basic
    AuthUserFile         /usr/local/apache/conf/httpd.passwd
    require              valid-user
    
    
    
      /usr/local/apache/conf/httpd.passwd  
    
    /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
    /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
    /C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
    
    

    The second method:

      httpd.conf  
    
    SSLVerifyClient      none
    
    SSLVerifyClient      require
    SSLVerifyDepth       5
    SSLCACertificateFile conf/ssl.crt/ca.crt
    SSLCACertificatePath conf/ssl.crt
    SSLOptions           +FakeBasicAuth
    SSLRequireSSL
    SSLRequire           %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." and \
                         %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
    
    
    
    • How can I require HTTPS with strong ciphers and either basic authentication or client certificates for access to a subarea on the Intranet website for clients coming from the Internet but still allow plain HTTP access for clients on the Intranet?    [L]

      Let us assume the Intranet can be distinguished through the IP network 192.160.1.0/24 and the subarea on the Intranet website has the URL /subarea. Then configure the following outside your HTTPS virtual host (so it applies to both HTTPS and HTTP):

        httpd.conf  
      
      SSLCACertificateFile conf/ssl.crt/company-ca.crt
      
      
      #   Outside the subarea only Intranet access is granted
      Order                deny,allow
      Deny                 from all
      Allow                from 192.168.1.0/24
      
      
      
      #   Inside the subarea any Intranet access is allowed
      #   but from the Internet only HTTPS + Strong-Cipher + Password
      #   or the alternative HTTPS + Strong-Cipher + Client-Certificate
      
      #   If HTTPS is used, make sure a strong cipher is used.
      #   Additionally allow client certs as alternative to basic auth.
      SSLVerifyClient      optional
      SSLVerifyDepth       1
      SSLOptions           +FakeBasicAuth +StrictRequire
      SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
      
      #   Force clients from the Internet to use HTTPS
      RewriteEngine        on
      RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
      RewriteCond          %{HTTPS} !=on
      RewriteRule          .* - [F]
      
      #   Allow Network Access and/or Basic Auth
      Satisfy              any
      
      #   Network Access Control
      Order                deny,allow
      Deny                 from all
      Allow                192.168.1.0/24
      
      #   HTTP Basic Authentication
      AuthType             basic
      AuthName             "Protected Intranet Area"
      AuthUserFile         conf/protected.passwd
      Require              valid-user