0

The following is a test setting to check if lighttpd will autheticate based on an IP address when it is included in certificate subjectAltNames, e.g.

subjectAltNames=IP:192.168.1.20

Config:

$HTTP["host"] == "192.168.1.20" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/Pihole-Home-Lan/private/Pihole-Home-Lan.key-crt.pem"
#    ssl.ca-file =  "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Pihole-Home-Lan-fullchain.pem"
    ssl.ca-file =  "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Home-Lan.crt.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    # client side authentification
    ssl.verifyclient.activate = "enable"
    ssl.verifyclient.enforce = "enable"
    ssl.verifyclient.depth = "10"
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
##    ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"
        }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Line from /var/log/lighttpd/access.log when accessing by raw address 192.168.1.20:

1551209819|192.168.1.20|GET / HTTP/1.1|401|351

The browser shows 401 Not authorized. Is it failing SSL or is there another problem?

Craig Hicks
  • 2,199
  • 20
  • 35
  • Likely related to https://stackoverflow.com/questions/54894290 – gstrauss Feb 27 '19 at 04:05
  • HTTP 401 Not Authorized is a different problem. It means "Not Authorized" and originates from the not-so-subtly-named mod_auth, which is different from mod_openssl. – gstrauss Feb 27 '19 at 04:10

1 Answers1

1

$SERVER["socket"] == ":443" { ... } (or $SERVER["socket"] == "192.168.1.20:443" { ... }) belongs at the top level in the config. It is a mistake to put $SERVER["socket"] inside other lighttpd config conditions, i.e. it a mistake to put inside $HTTP["host"] == "192.168.1.20" { ... }

TLS is negotiated at the beginning of the socket connection, before the HTTP request is received over an encrypted TLS channel. Since HTTP request Host header has not been received when TLS is negotiated, it is invalid to put $SERVER["socket"] inside any other condition, such as $HTTP["host"]

gstrauss
  • 2,091
  • 1
  • 12
  • 16