Allowing users in from an IP address without certificate client authentication

Question

I need to allow access to my site without SSL certificates from my office network and with SSL certificates outside.

Here is my configuration:

 <Directory /srv/www>
  AllowOverride All

  Order deny,allow
  Deny from all
  # office network static IP
  Allow from xxx.xxx.xxx.xxx

  SSLVerifyClient require
  SSLOptions +FakeBasicAuth
  AuthName "My secure area"
  AuthType Basic
  AuthUserFile /etc/httpd/ssl/index
  Require valid-user
  Satisfy Any

 </Directory>

When I'm inside network and have certificate - I can access. When I'm inside network and haven't certificate - I can't access, it requires certificate.

When I'm outside network and have certificate - I can't access, it shows me basic login screen When I'm outside network and haven't certificate - I can't access, it shows me basic login screen

and following configuration works perfectly

 <Directory /srv/www>
  AllowOverride All

  Order deny,allow
  Deny from all
  Allow from xxx.xxx.xxx.xxx

  AuthUserFile /srv/www/htpasswd
  AuthName "Restricted Access"
  AuthType Basic
  Require valid-user
  Satisfy Any

 </Directory>

John · Accepted Answer · 2012-11-08T09:46:24.047

11

Here is how I implemented that(xxx.xxx.xxx.xxx - allow access for this address without cert) :

  SSLVerifyClient optional
  SSLOptions -FakeBasicAuth +StrictRequire -StdEnvVars -ExportCertData
  SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

  RewriteEngine on
  RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
  RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xxx.xxx$
  RewriteRule   ^  -  [F]

Note that SSLVerifyClient should NOT be in directory context:

In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.

edited Nov 08 '12 at 09:46

answered Aug 31 '12 at 14:53

John

542
5
16

Thank you very much for having come back to provide the answer. Could you accept your own answer please? – Sep 17 '12 at 22:10
Ok, I thought that I should not accept my answer because it may be treated as rank cheating – John Nov 08 '12 at 09:47
I'm not sure if you earn points when you accept your own answer. However marking a question as answered is important as it does not appear in the unanswered anymore. – Nov 08 '12 at 10:06
1

This is a very underrated answer! – Jay Are Feb 27 '19 at 17:28

score 1 · Answer 2 · answered Jul 27 '12 at 14:56

1

Presumably, inside your network, the server has a different (internal, private) IP than when accessed from the outside.

In that case, it would be simplest to set up two vhosts - one on in.ter.nal.ip:443, and one on ex.ter.nal.ip:443.

Require client certificates only on the external vhost.

answered Jul 27 '12 at 14:56

adaptr

16,576
23
34

server is not in my office network – John Jul 27 '12 at 14:57

score 0 · Answer 3 · answered Mar 13 '18 at 08:10

0

I was surprised to find this works in Apache 2.4:

<LocationMatch "^/some/secure/place">
    <If "! -R 'xxx.xxx.xxx.xxx/32'">
            SSLRequireSSL
            SSLVerifyClient require
            ...etc
    </If>
</LocationMatch>

answered Mar 13 '18 at 08:10

scipilot

201
2
7

Allowing users in from an IP address without certificate client authentication

3 Answers3

Linked