SSL client auth based on IP source address

Discussion:

SSL client auth based on IP source address - possible?

(too old to reply)

Axel

2012-09-14 12:04:49 UTC

Hi readers,

I have a web server here which should authenticate clients using SSL client authentication - but ONLY if the clients come from the internet. From the intRAnet everyone should have access without a client certificate.

Currently this is done using a rewrite rule which redirects to two identical installations of our web site but on different file system paths - depending on the source IP. One path (the one redirected to with external addresses) has a SSL requirement for client auth configured, the other hasnt.

Now I dislike this system. Is it possible to only have ONE installation, and configure the SSL client auth requirement based on the source IP of the client?

Cheers & thanks in advance,
Axel.

D. Stussy

2012-09-15 05:28:07 UTC

Permalink

"Axel" wrote in message news:55cbcb3d-943c-430b-9ecb-***@googlegroups.com...
I have a web server here which should authenticate clients using SSL client
authentication - but ONLY if the clients come from the internet. From the
intRAnet everyone should have access without a client certificate.

Currently this is done using a rewrite rule which redirects to two identical
installations of our web site but on different file system paths - depending
on the source IP. One path (the one redirected to with external addresses) has
a SSL requirement for client auth configured, the other hasnt.

Now I dislike this system. Is it possible to only have ONE installation, and
configure the SSL client auth requirement based on the source IP of the
client?
=================

What is wrong with:
RequireSSL
Deny All
Allow from <network>
Satisfy ANY

The key is the LAST entry. Semicolons omitted.

Axel

2012-09-18 08:28:48 UTC

Permalink

Post by D. Stussy
RequireSSL
Deny All
Allow from <network>
Satisfy ANY

hm, nothing maybe? :) thanks! I should have thought of that, I'll try and report back ;)

cheers,
Axel.

Axel

2012-10-16 07:52:09 UTC

Permalink

Post by Axel

Post by D. Stussy
RequireSSL
Deny All
Allow from <network>
Satisfy ANY

hm, nothing maybe? :) thanks! I should have thought of that, I'll try and report back ;)

nah, not so easy. doesn't work.

my current configuration is a combination of SSLVerifyClient optional, and a rewrite rule which evaluates the status of the verification against the REMOTE_ADDR value. (example here: http://is.gd/BisRPK)

Unfortunately I hit another problem: Firefox won't ask me for a certificate on SSLVerifyClient optional, only on SSLVerifyClient require.

So now - does anybody know the _perfect_ and _complete_ ;) circumstances on which FF wil ask the user for a client certificate? basically the configuration *should* work now ... (excerpt here: http://pastebin.com/Vq31Rg87)

Any help welcome ...

thanks & greetings,
Axel.

Axel

2012-10-18 05:01:02 UTC

Permalink

Post by Axel

Post by D. Stussy
RequireSSL
Deny All
Allow from <network>
Satisfy ANY

hm, nothing maybe? :) thanks! I should have thought of that, I'll try and report back ;)

In case anyone is ever interested: I got it. I moved the Rewrite Rules and the SSLVerifyClient out of the <Directory> block into the virtual host definition itself. Now it works beautifully.

This is basically the relevant configuration section:

SSLProtocol -all +SSLv3 +TLSv1
SSLCACertificatePath /etc/apache2/vhosts.d/lernnet.arbeitsagentur.de/ssl.CAs
SSLOptions -StdEnvVars -ExportCertData -OptRenegotiate

SSLVerifyClient optional
SSLVerifyDepth 3

RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteCond %{REMOTE_ADDR} !^130\.250\.8\.12$
RewriteCond %{REMOTE_ADDR} !^10\.197\.205\..*$
RewriteRule ^ - [F]

# accept the official and a test certificate
RewriteCond %{SSL:SSL_CLIENT_VERIFY} ^SUCCESS$
RewriteCond %{SSL:SSL_CLIENT_S_DN_O} !^BALi$
RewriteCond %{SSL:SSL_CLIENT_S_DN_O} !^Super\ Test\ Team\ Tiger$
RewriteRule ^ - [F]

<Directory ".../htdocs/">

Cheers,
Axel.