Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: How to bypass SSLVerifyClient for specific IP Address |
|
Author |
|
matthewcm
Joined: 30 Jan 2018 Posts: 2
|
Posted: Tue 30 Jan '18 18:57 Post subject: How to bypass SSLVerifyClient for specific IP Address |
|
|
Hello all,
I'm fairly new to HTTPD so I need some insight from the pro's.
The previous admins set up HTTPD on a Linux box. It is configured to read Certs by the user accessing a specific DNS (ex: https://cxg-now-test.abc). A reverse proxy is then used to send the user to a the app server ,if their cert is valid, which resides on the same box. This works great.
In my HTTPD config, I have a section like this:
Code: | <VirtualHost>
...
SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +ExportCertData +StdEnvVars
SSLCACertificateFile <path to cert>
</VirtualHost> |
Whenever someone accesses https://cxg-now-test.abc, their cert is read and are sent to the app. Again this works great.
What I'd like to do is bypass the SSLVerifyClient from a particular DNS or IP Address. Ex: 10.54.12.34
I know I can set SSLVerifyClient to 'optional' but that does not seem very secure to me.
I think the ultimate solution would be this:
All Users: SSLVerifyClient require
10.54.12.34: SSLVerifyClient optional
BTW, we're running Apache 2.2
Is this doable?
Any help is greatly appreciated |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
|
Back to top |
|
matthewcm
Joined: 30 Jan 2018 Posts: 2
|
Posted: Thu 08 Feb '18 16:44 Post subject: Ended up just changing SSLVerifyClient require |
|
|
So we did some asking around other teams have just changed their SSLVerifyClient to 'optional'
So we're going to do the same. We made the change in DEV and TEST and so far all is good |
|
Back to top |
|
|
|
|
|
|