FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 02-15-2012, 01:46 PM
Tanstaafl
 
Default Restrict site access by SSL Client Cert?

Hi everyone,

I know that you can restrict access to a certain site using either Basic
HTTP Auth or Digest Auth, but I was wondering - can you do the same with
an SSL Client Certificate?


I'd like to prevent access to an ancient web based database to only
users that have a Client Cert that I created for them installed.


Is this possible? I'd also like to provide for IP based exceptions if
possible, but if I can't do both, I'll just install the Cert for everyone.


Thanks,

Charles
 
Old 02-15-2012, 02:19 PM
Michael Mol
 
Default Restrict site access by SSL Client Cert?

On Wed, Feb 15, 2012 at 9:46 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi everyone,
>
> I know that you can restrict access to a certain site using either Basic
> HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
> SSL Client Certificate?
>
> I'd like to prevent access to an ancient web based database to only users
> that have a Client Cert that I created for them installed.
>
> Is this possible? I'd also like to provide for IP based exceptions if
> possible, but if I can't do both, I'll just install the Cert for everyone.

Two ways (that I know of) to do this:

1) Configure a front-end proxy like squid to do it.
2) Configure Apache to do it.

I haven't done it myself, though, and I hear the error messages the
OpenSSL libraries give you are cryptic.

--
:wq
 
Old 02-15-2012, 02:46 PM
Paul Hartman
 
Default Restrict site access by SSL Client Cert?

On Wed, Feb 15, 2012 at 8:46 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi everyone,
>
> I know that you can restrict access to a certain site using either Basic
> HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
> SSL Client Certificate?

Yes, you can. The specifics of how depend on what web server you're using.

For Apache, there are some examples of different scenarios here:
https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients

> I'd also like to provide for IP based exceptions if possible

Trivial in Apache using mod_authz_host which is made for that kind of
thing. You can combine the two access methods (allow all if it's
coming from your company's internal IP, otherwise require
certificate).
 
Old 02-15-2012, 03:24 PM
Tanstaafl
 
Default Restrict site access by SSL Client Cert?

On 2012-02-15 10:46 AM, Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:

On Wed, Feb 15, 2012 at 8:46 AM, Tanstaafl<tanstaafl@libertytrek.org> wrote:

Hi everyone,

I know that you can restrict access to a certain site using either Basic
HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
SSL Client Certificate?


Yes, you can. The specifics of how depend on what web server you're using.

For Apache, there are some examples of different scenarios here:
https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients


I'd also like to provide for IP based exceptions if possible


Trivial in Apache using mod_authz_host which is made for that kind of
thing. You can combine the two access methods (allow all if it's
coming from your company's internal IP, otherwise require
certificate).


Perfect, thanks Paul (and yes this is with Apache)...

Glad to know I can do it, hopefully I can get it working without having
to sign up to yet another email list to ask for help...
 

Thread Tools




All times are GMT. The time now is 04:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org