top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Apache: Access control to allow local clients or remote with SSL client certificate

0 votes
241 views

Running Apache 2.4.7 and current configuration limiting access to a directory to only clients that can provide a trusted client certificate. Server is SSL host. Would like to modify configuration to allow "local" clients (127.0.0.1, etc. as defined by Require local auth provider) to access the directory without authenticating with a client certificate. So the local host may access the directory without SSL client auth, but all others must authenticate with a client certificate or access is forbidden. What is the best/proper way to do this?

I would like to use modern directives (avoiding Allow, Deny, Order etc. from mod_access_compat) but I am not clear how to combine Require related directives with mod_ssl options like SSLVerifyClient.

Thanks in advance?

posted Jun 16, 2017 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
0 votes

I want to allow a directory " /var/www/html/ldap" to two users according to IPs (192.168.1.2 192.168.1.7):

 Order allow,deny
 Allow from 192.168.1.2 192.168.1.7
 Satisfy any
 AuthName "LDAP Authentication"
 AuthType Basic

 AuthBasicProvider ldap
 AuthzLDAPauthoritative off
 AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
 Require valid-user

but I don't want to allow a sub directory to 192.168.1.7 (I want it to be allowed only to 192.168.1.2):

I have tried to add:

 Order allow,deny
 Allow from 192.168.1.2
 Satisfy any
 AuthName "LDAP Authentication"
 AuthType Basic

 AuthBasicProvider ldap
 AuthzLDAPauthoritative off
 AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*)
 Require valid-user

but it seems that 192.168.1.7 can reach to manager directory because it is a part of ldap directory, how can I forbid this?

+1 vote

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

+4 votes

The ssl cert on my apache server have expired. It is actually a server at work - a important one as well so I'm a bit stressed at the moment.

The cert is renewed and I have received the cert files. I'm now trying to install them but I can't get it to work.

I thought it was as simple as just copying the new crt file to the server and restart apache but apache start fails.

I see this in the log:

509 certificate routines:X509_check_private_key:key values mismatch

Server: Apache 2.2.22 on Ubuntu 12.04. How does one install a renewed ssl cert? Do I need to create a new private key and ca-bundle? Please point me in the right direction.

0 votes

I have two handlers to be accessed. My motive is to use the second handler if the first handler returns DECLINED.

I have tried various combinations of SetHandler, AddHandler and AddType but none has worked as overriding takes place in all of these combinations.

Is there any method in Apache to use more than one handler without overriding?

0 votes

I am a bit confused about the mod_rewrite documentation. It shows this rule to block hotlinking:

RewriteCond "%{HTTP_REFERER}" "!^$"
RewriteCond "%{HTTP_REFERER}" "!www.example.com" [NC]
RewriteRule ".(gif|jpg|png)$" "-" [F,NC]

however, I'd think a better rule would be:

RewriteCond "%{HTTP_REFERER}" "^$" [OR]
RewriteCond "%{HTTP_REFERER}" "!(www.)?example.com/.*$" [OR,NC]
RewriteRule ".(gif|jpg|png)$" "-" [F,NC]

if I want to block anyone manually typing in a link (no referer) + hotlinking (probably has a referer). Do i need the [OR] on the 1st
RewriteCond and not the 2nd one? It seems to work with OR on both conditions.

...