Access control to allow local clients or remote with SSL client certificate

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Access control to allow local clients or remote with SSL client certificate

Darren Spruell
Greetings,

Running Apache 2.4.7 and current configuration limiting access to a directory to only clients that can provide a trusted client certificate. Server is SSL host. Would like to modify configuration to allow "local" clients (127.0.0.1, etc. as defined by 'Require local' auth provider) to access the directory without authenticating with a client certificate. So the local host may access the directory without SSL client auth, but all others must authenticate with a client certificate or access is forbidden. What is the best/proper way to do this?

I'd like to use modern directives (avoiding Allow, Deny, Order etc. from mod_access_compat) but I'm not clear how to combine Require related directives with mod_ssl options like SSLVerifyClient. 

--
Darren Spruell
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Access control to allow local clients or remote with SSL client certificate

Darren Spruell
On Fri, Jun 16, 2017 at 1:59 AM, Darren S. <[hidden email]> wrote:

> Greetings,
>
> Running Apache 2.4.7 and current configuration limiting access to a
> directory to only clients that can provide a trusted client certificate.
> Server is SSL host. Would like to modify configuration to allow "local"
> clients (127.0.0.1, etc. as defined by 'Require local' auth provider) to
> access the directory without authenticating with a client certificate. So
> the local host may access the directory without SSL client auth, but all
> others must authenticate with a client certificate or access is forbidden.
> What is the best/proper way to do this?
>
> I'd like to use modern directives (avoiding Allow, Deny, Order etc. from
> mod_access_compat) but I'm not clear how to combine Require related
> directives with mod_ssl options like SSLVerifyClient.

I ended up with this as a test; is this as easy as it should be?

<VirtualHost _default_:443>
        ServerName example.com
        DocumentRoot /var/www/app

        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
        SSLCACertificateFile "/etc/apache2/client-ca.crt"
        <Directory /var/www/app/webroot>
                SSLVerifyClient optional
                SSLVerifyDepth 1
                Options -Indexes
                AllowOverride all
                <RequireAny>
                        Require ssl-verify-client
                        Require local
                </RequireAny>
        </Directory>
</VirtualHost>

--
Darren Spruell
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access control to allow local clients or remote with SSL client certificate

Marat Khalili
Technically it should work, but you may also want to:

1. Check that client belongs to some a organization/unit as specified in
certificate, see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire for
example. (BTW I don't know if %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ is still
necessary, but I'd specify it just in case.)

2. Configure revocation list with using SSLCARevocationCheck and
SSLCARevocationFile (see same page). But be careful to update your CRL
file and reload your server timely (there's usually a cron job for
this), or it'll stop accepting any certificates as soon as CRL expires.

Without these changes you are granting access to any certificate you (or
any other CAs specified in SSLCACertificateFile) ever issued, even to
unrelated or obsolete ones.

--

With Best Regards,
Marat Khalili

On 16/06/17 12:24, Darren S. wrote:

> I ended up with this as a test; is this as easy as it should be?
> <VirtualHost _default_:443>
>          ServerName example.com
>          DocumentRoot /var/www/app
>
>          SSLEngine On
>          SSLCertificateFile /etc/ssl/certs/server.crt
>          SSLCertificateKeyFile /etc/ssl/private/server.key
>          SSLCACertificateFile "/etc/apache2/client-ca.crt"
>          <Directory /var/www/app/webroot>
>                  SSLVerifyClient optional
>                  SSLVerifyDepth 1
>                  Options -Indexes
>                  AllowOverride all
>                  <RequireAny>
>                          Require ssl-verify-client
>                          Require local
>                  </RequireAny>
>          </Directory>
> </VirtualHost>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]