DevHeads.net

Access control to allow local clients or remote with SSL client certificate

Greetings,

Running Apache 2.4.7 and current configuration limiting access to a
directory to only clients that can provide a trusted client certificate.
Server is SSL host. Would like to modify configuration to allow "local"
clients (127.0.0.1, etc. as defined by 'Require local' auth provider) to
access the directory without authenticating with a client certificate. So
the local host may access the directory without SSL client auth, but all
others must authenticate with a client certificate or access is forbidden.
What is the best/proper way to do this?

I'd like to use modern directives (avoiding Allow, Deny, Order etc. from
mod_access_compat) but I'm not clear how to combine Require related
directives with mod_ssl options like SSLVerifyClient.

Comments

Re: Access control to allow local clients or remot

By Darren Spruell at 06/16/2017 - 05:24

On Fri, Jun 16, 2017 at 1:59 AM, Darren S. < ... at gmail dot com> wrote:
I ended up with this as a test; is this as easy as it should be?

<VirtualHost _default_:443>
ServerName example.com
DocumentRoot /var/www/app

SSLEngine On
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile "/etc/apache2/client-ca.crt"
<Directory /var/www/app/webroot>
SSLVerifyClient optional
SSLVerifyDepth 1
Options -Indexes
AllowOverride all
<RequireAny>
Require ssl-verify-client
Require local
</RequireAny>
</Directory>
</VirtualHost>