📄 ssl_howto.html
字号:
</tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><li><a name="ToC9"></a> <a name="auth-particular"></a> <strong id="howto">How can I authenticate only particular clients for a some URLs basedon certificates but still allow arbitrary clients to access the remainingparts of the server?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular"><b>L</b></a>] <p>The key is to check for various ingredients of the client certficate. Usuallythis means to check the whole or part of the Distinguished Name (DN) of theSubject. For this two methods exists: The <code>mod_auth</code> based variantand the <code>SSLRequire</code> variant. The first method is good when theclients are of totally different type, i.e. when their DNs have no commonfields (usually the organisation, etc.). In this case you've to establish apassword database containing <em>all</em> clients. The second method is betterwhen your clients are all part of a common hierarchy which is encoded into theDN. Then you can match them more easily.<p>The first method:<p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">/usr/local/apache/conf/httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre>SSLVerifyClient none<Directory /usr/local/apache/htdocs/secure/area>SSLVerifyClient requireSSLVerifyDepth 5SSLCACertificateFile conf/ssl.crt/ca.crtSSLCACertificatePath conf/ssl.crtSSLOptions +FakeBasicAuthSSLRequireSSLAuthName "Snake Oil Authentication"AuthType BasicAuthUserFile /usr/local/apache/conf/httpd.passwdrequire valid-user</Directory></pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">/usr/local/apache/conf/httpd.passwd</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre>/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA</pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p>The second method:<p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre>SSLVerifyClient none<Directory /usr/local/apache/htdocs/secure/area>SSLVerifyClient requireSSLVerifyDepth 5SSLCACertificateFile conf/ssl.crt/ca.crtSSLCACertificatePath conf/ssl.crtSSLOptions +FakeBasicAuthSSLRequireSSLSSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \ %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}</Directory></pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><li><a name="ToC10"></a> <a name="auth-intranet"></a> <strong id="howto"> How canI require HTTPS with strong ciphers and either basic authentication or clientcertificates for access to a subarea on the Intranet website for clientscoming from the Internet but still allow plain HTTP access for clients on theIntranet?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#auth-intranet"><b>L</b></a>] <p>Let us assume the Intranet can be distinguished through the IP network192.160.1.0/24 and the subarea on the Intranet website has the URL<tt>/subarea</tt>. Then configure the following outside your HTTPS virtualhost (so it applies to both HTTPS and HTTP):<p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre>SSLCACertificateFile conf/ssl.crt/company-ca.crt<Directory /usr/local/apache/htdocs># Outside the subarea only Intranet access is grantedOrder deny,allowDeny from allAllow from 192.168.1.0/24</Directory><Directory /usr/local/apache/htdocs/subarea># Inside the subarea any Intranet access is allowed# but from the Internet only HTTPS + Strong-Cipher + Password# or the alternative HTTPS + Strong-Cipher + Client-Certificate# If HTTPS is used, make sure a strong cipher is used.# Additionally allow client certs as alternative to basic auth.SSLVerifyClient optionalSSLVerifyDepth 1SSLOptions +FakeBasicAuth +StrictRequireSSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128# Force clients from the Internet to use HTTPSRewriteEngine onRewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$RewriteCond %{HTTPS} !=onRewriteRule .* - [F]# Allow Network Access and/or Basic AuthSatisfy any# Network Access ControlOrder deny,allowDeny from allAllow 192.168.1.0/24# HTTP Basic AuthenticationAuthType basicAuthName "Protected Intranet Area"AuthUserFile conf/protected.passwdRequire valid-user</Directory></pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table></ul> <p> <br> <table summary=""> <tr> <td> <table width="600" border="0" summary=""> <tr> <td valign="top" align="left" width="250"><a href="ssl_compat.html" onmouseover="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_bot'); return true" onfocus="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Compatibility</font> </td> <td valign="top" align="right" width="250"><a href="ssl_faq.html" onmouseover="ro_imgOver('ro_img_next_bot', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_bot'); return true" onfocus="ro_imgOver('ro_img_next_bot', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_bot'); return true"><img name="ro_img_next_bot" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">F.A.Q. List</font> </td> </tr> </table> </td> </tr> <tr> <td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td> </tr> <tr> <td><table width="598" summary=""> <tr> <td align="left"><font face="Arial,Helvetica"> <a href="http://www.modssl.org/">mod_ssl</a> 2.8, User Manual<br> The Apache Interface to OpenSSL </font> </td> <td align="right"><font face="Arial,Helvetica"> Copyright © 1998-2001 <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br> All Rights Reserved<br> </font> </td> </tr> </table> </td> </tr> </table> </td></tr></table></div></body></html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -