Do not use Client Cert Auth when on local network apache2

Question

I'm hoping someone could help me with this question...

I am running an Apache 2.4.7 server on my Ubuntu 14.04 box with some public facing sites. For some of those sites I've implemented a Client Cert Authentication using self signed certs. I am trying to change my configuration such that when a client connects to the site while on the same network as server, bypass the authentication altogether.

Here's the snippet of my config file:

    SSLEngine On

    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

    SSLCertificateFile /etc/ssl/ca/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/ca/private/server.key
    SSLCACertificateFile /etc/ssl/ca/certs/serverCA.crt
    SSLVerifyClient require

    SSLProxyEngine Off

    ProxyRequests Off

I have tried modifying this configuration by moving SSLVerifyClient require into a Location block like so:

<Location />
  Order deny,allow
  Deny from all

  Allow from 192.168.1.0/24
  SSLVerifyClient require

  Satisfy any
</Location>

Unfortunately, that did not work and I would still be either prompted for the cert or my site would be freely available from the internet.

Thank you very much for your help

Answer 1

I found the answer here: Allowing users in from an IP address without certificate client authentication

The gist of the answer is as follows:

<VirtualHost *:443>
    SSLEngine On

    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

    SSLCertificateFile /etc/ssl/ca/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/ca/private/server.key
    SSLCACertificateFile /etc/ssl/ca/certs/serverCA.crt
    SSLVerifyClient optional

    SSLProxyEngine Off

    ProxyRequests Off

    <Location />
        Order deny,allow
        Deny from all

        Satisfy any
        Allow from 192.168.1.0/24

        RewriteEngine on
        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
        RewriteCond %{REMOTE_ADDR} !^192.168.1.[0-9]*$
        RewriteRule   ^  -  [F]
    <Location />
</VirtualHost>

The main changes here are the mod_rewrite directives in the Location section and switch of SSLVerifyClient from require to optional