Hi everyone,

I know that you can restrict access to a certain site using either Basic
HTTP Auth or Digest Auth, but I was wondering - can you do the same with
an SSL Client Certificate?


I'd like to prevent access to an ancient web based database to only
users that have a Client Cert that I created for them installed.


Is this possible? I'd also like to provide for IP based exceptions if
possible, but if I can't do both, I'll just install the Cert for everyone.


Thanks,

Charles

On Wed, Feb 15, 2012 at 9:46 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi everyone,
>
> I know that you can restrict access to a certain site using either Basic
> HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
> SSL Client Certificate?
>
> I'd like to prevent access to an ancient web based database to only users
> that have a Client Cert that I created for them installed.
>
> Is this possible? I'd also like to provide for IP based exceptions if
> possible, but if I can't do both, I'll just install the Cert for everyone.

Two ways (that I know of) to do this:

1) Configure a front-end proxy like squid to do it.
2) Configure Apache to do it.

I haven't done it myself, though, and I hear the error messages the
OpenSSL libraries give you are cryptic.

--
:wq

On Wed, Feb 15, 2012 at 8:46 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi everyone,
>
> I know that you can restrict access to a certain site using either Basic
> HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
> SSL Client Certificate?

Yes, you can. The specifics of how depend on what web server you're using.

For Apache, there are some examples of different scenarios here:
https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients

> I'd also like to provide for IP based exceptions if possible

Trivial in Apache using mod_authz_host which is made for that kind of
thing. You can combine the two access methods (allow all if it's
coming from your company's internal IP, otherwise require
certificate).

On 2012-02-15 10:46 AM, Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:

On Wed, Feb 15, 2012 at 8:46 AM, Tanstaafl<tanstaafl@libertytrek.org> wrote:

Hi everyone,

I know that you can restrict access to a certain site using either Basic
HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
SSL Client Certificate?


Yes, you can. The specifics of how depend on what web server you're using.

For Apache, there are some examples of different scenarios here:
https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients


I'd also like to provide for IP based exceptions if possible


Trivial in Apache using mod_authz_host which is made for that kind of
thing. You can combine the two access methods (allow all if it's
coming from your company's internal IP, otherwise require
certificate).


Perfect, thanks Paul (and yes this is with Apache)...

Glad to know I can do it, hopefully I can get it working without having
to sign up to yet another email list to ask for help...