0

How I can let Apache force client side certificate authentication upon guests from the internet, but require no authentication for the localhost?

Both should use https, and read the same dir, preferably on the same port.

I have a client side certificate config setup that works, now I need to add the no auth localhost access.

Does anyone have a good httpd.conf template? I tried using http://www.modssl.org/docs/2.8/ssl_howto.html#ToC10 but I could not get this to work (and that example is also not exactly what I need.)

1 Answers1

3

The configuration of ssl is completely separate from checking which hosts can access a directory.

To require authentication from anyone but localhost, you can use the satisfy parameter and do something like this:

Allow from localhost 127.0.0.1
Require valid-user
Satisfy Any

What the above says is that a user must either authenticate or be coming from the localhost in order to access the server.

There is a decent example using Satisfy Any on the official apache docs also. It explains where in the apache configuration something like this is allowed. http://httpd.apache.org/docs/2.0/mod/core.html#satisfy

Update based on comments: Why not simply configure two virtual hosts? One with a catch all (*:443) that does client-certificate authentication and another host (127.0.0.1:443) listening only on the localhost that does regular ssl? You can set the document root to be the same directory for both virtual servers.

emills
  • 774
  • 1
  • 4
  • 15
  • If I read the documentation correctly, an user is valid when the user identifies himself using the type of authentication set with the AuthType directive, which does not support client side certificates. –  Oct 13 '09 at 19:21
  • 1
    I see now that I mentioned nowhere "certificates". So I'll change the question. –  Oct 13 '09 at 19:22
  • Two virtual hosts. Of course. I used a plain http host because it only is localhost traffic. That works now. Thanks. –  Oct 15 '09 at 09:13