📄 ssl_howto.html
字号:
<p>The first method:<p><table border="0" cellpadding="0" cellspacing="0"> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">/usr/local/apache/conf/httpd.conf</font> </td> <td colspan="2"> </td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4"> <tr> <td><pre>SSLVerifyClient none<Directory /usr/local/apache/htdocs/secure/area>SSLVerifyClient requireSSLVerifyDepth 5SSLCACertificateFile conf/ssl.crt/ca.crtSSLCACertificatePath conf/ssl.crtSSLOptions +FakeBasicAuthSSLRequireSSLAuthName "Snake Oil Authentication"AuthType BasicAuthUserFile /usr/local/apache/conf/httpd.passwdrequire valid-user</Directory></pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><table border="0" cellpadding="0" cellspacing="0"> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">/usr/local/apache/conf/httpd.passwd</font> </td> <td colspan="2"> </td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4"> <tr> <td><pre>/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA</pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p>The second method:<p><table border="0" cellpadding="0" cellspacing="0"> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"> </td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4"> <tr> <td><pre>SSLVerifyClient none<Directory /usr/local/apache/htdocs/secure/area>SSLVerifyClient requireSSLVerifyDepth 5SSLCACertificateFile conf/ssl.crt/ca.crtSSLCACertificatePath conf/ssl.crtSSLOptions +FakeBasicAuthSSLRequireSSLSSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \ %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}</Directory></pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><li><a name="ToC10"></a> <a name="auth-intranet"></a> <strong id="howto"> How canI require HTTPS with strong ciphers and either basic authentication or clientcertificates for access to a subarea on the Intranet website for clientscoming from the Internet but still allow plain HTTP access for clients on theIntranet?</strong> [<a href="http://www.modssl.org/docs/2.2/ssl_howto.html#auth-intranet"><b>L</b></a>] <p>Let us assume the Intranet can be distinguished through the IP network192.160.1.0/24 and the subarea on the Intranet website has the URL<tt>/subarea</tt>. Then configure the following outside your HTTPS virtualhost (so it applies to both HTTPS and HTTP):<p><table border="0" cellpadding="0" cellspacing="0"> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"> </td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4"> <tr> <td><pre><Directory /usr/local/apache/htdocs># Outside the subarea only Intranet access is grantedOrder deny,allowDeny allAllow 192.160.1.0/24</Directory><Directory /usr/local/apache/htdocs/subarea># Inside the subarea any Intranet access is allowed# but from the Internet only HTTPS + Strong-Cipher + Password# or the alternative HTTPS + Strong-Cipher + Client-Certificate# If HTTPS is used, make sure a strong cipher is used.# Additionally allow client certs as alternative to basic auth.SSLVerifyClient optionalSSLVerifyDepth 1SSLCACertificateFile conf/ssl.crt/company-ca.crtSSLOptions +FakeBasicAuth +StrictRequireSSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128# Force clients from the Internet to use HTTPSRewriteEngine onRewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$RewriteCond %{HTTPS} !=onRewriteRule .* - [F]# Allow Network Access and/or Basic AuthSatisfy any# Network Access ControlOrder deny,allowDeny allAllow 192.160.1.0/24# HTTP Basic AuthenticationAuthType basicAuthName "Protected Intranet Area"AuthUserFile conf/protected.passwdRequire valid-user</Directory></pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table></ul> <p> <br> <table> <tr> <td> <table width="600" border="0"> <tr> <td valign="top" align="left" width="250"><script type="text/javascript" language="JavaScript"><!-- Hiding the codeif (document.images) { ro_img_prev_bot_n = new Image(); ro_img_prev_bot_n.src = "ssl_template.navbut-prev-n.gif"; ro_img_prev_bot_o = new Image(); ro_img_prev_bot_o.src = "ssl_template.navbut-prev-s.gif";}// done hiding --></script><a href="ssl_compat.html" onMouseOver="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onMouseOut="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Compatibility</font> </td> <td valign="top" align="right" width="250"><script type="text/javascript" language="JavaScript"><!-- Hiding the codeif (document.images) { ro_img_next_bot_n = new Image(); ro_img_next_bot_n.src = "ssl_template.navbut-next-n.gif"; ro_img_next_bot_o = new Image(); ro_img_next_bot_o.src = "ssl_template.navbut-next-s.gif";}// done hiding --></script><a href="ssl_faq.html" onMouseOver="ro_imgOver('ro_img_next_bot', 'next page'); return true" onMouseOut="ro_imgNormal('ro_img_next_bot'); return true"><img name="ro_img_next_bot" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">F.A.Q. List</font> </td> </tr> </table> </td> </tr> <tr> <td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td> </tr> <tr> <td> <table width="598"> <tr> <td align="left"><font face="Arial,Helvetica"> <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br> The Apache Interface to OpenSSL </font> </td> <td align="right"><font face="Arial,Helvetica"> Copyright © 1998-2000 <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br> All Rights Reserved<br> </font> </td> </tr> </table> </td> </tr> </table> </td></tr></table></div></body></html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -