logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: How to bypass SSLVerifyClient for specific IP Address
Author
matthewcm



Joined: 30 Jan 2018
Posts: 2

PostPosted: Tue 30 Jan '18 18:57    Post subject: How to bypass SSLVerifyClient for specific IP Address Reply with quote

Hello all,

I'm fairly new to HTTPD so I need some insight from the pro's.

The previous admins set up HTTPD on a Linux box. It is configured to read Certs by the user accessing a specific DNS (ex: https://cxg-now-test.abc). A reverse proxy is then used to send the user to a the app server ,if their cert is valid, which resides on the same box. This works great.

In my HTTPD config, I have a section like this:

Code:
<VirtualHost>
...
SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +ExportCertData +StdEnvVars
SSLCACertificateFile <path to cert>
</VirtualHost>


Whenever someone accesses https://cxg-now-test.abc, their cert is read and are sent to the app. Again this works great.

What I'd like to do is bypass the SSLVerifyClient from a particular DNS or IP Address. Ex: 10.54.12.34

I know I can set SSLVerifyClient to 'optional' but that does not seem very secure to me.

I think the ultimate solution would be this:

All Users: SSLVerifyClient require
10.54.12.34: SSLVerifyClient optional

BTW, we're running Apache 2.2


Is this doable?

Any help is greatly appreciated
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 08 Feb '18 16:23    Post subject: Reply with quote

I found this https://serverfault.com/questions/411858/allowing-users-in-from-an-ip-address-without-certificate-client-authentication

Maybe that works for you, too.
Back to top
matthewcm



Joined: 30 Jan 2018
Posts: 2

PostPosted: Thu 08 Feb '18 16:44    Post subject: Ended up just changing SSLVerifyClient require Reply with quote

So we did some asking around other teams have just changed their SSLVerifyClient to 'optional'

So we're going to do the same. We made the change in DEV and TEST and so far all is good
Back to top


Reply to topic   Topic: How to bypass SSLVerifyClient for specific IP Address View previous topic :: View next topic
Post new topic   Forum Index -> Apache