diff options
Diffstat (limited to 'docs/manual/ssl/ssl_howto.html')
| -rw-r--r-- | docs/manual/ssl/ssl_howto.html | 655 |
1 files changed, 0 insertions, 655 deletions
diff --git a/docs/manual/ssl/ssl_howto.html b/docs/manual/ssl/ssl_howto.html deleted file mode 100644 index ba42683f70..0000000000 --- a/docs/manual/ssl/ssl_howto.html +++ /dev/null @@ -1,655 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - -<html xmlns="http://www.w3.org/1999/xhtml"> - <head> -<title>Apache SSL/TLS Encryption: How-To</title> -<style type="text/css"><!-- -#H { -} -#D { - background-color: #f0f0f0; -} ---></style> -</head> - -<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> -<!--#include virtual="header.html" --> - -<h1 align="CENTER">SSL/TLS Strong Encryption: How-To</h1> - - -<div align="right"> -<table cellspacing="0" cellpadding="0" width="200" summary=""> -<tr> -<td> -<em> -``The solution of this problem is trivial - and is left as an exercise for the reader.'' -</em> -</td> -</tr> -<tr> -<td align="right"> -<font size="-1"> -Standard textbook cookie -</font> -</td> -</tr> -</table> -</div> - -<p> -How to solve particular security constraints for an SSL-aware webserver -is not always obvious because of the coherences between SSL, HTTP and Apache's -way of processing requests. This chapter gives instructions on how to solve -such typical situations. Treat is as a first step to find out the final -solution, but always try to understand the stuff before you use it. Nothing is -worse than using a security solution without knowing its restrictions and -coherences. - -<ul> -<li><a href="#ToC1">Cipher Suites and Enforced Strong Security</a></li> -<li><a href="#ToC2">SSLv2 only server</a></li> -<li><a href="#ToC3">strong encryption only server</a></li> -<li><a href="#ToC4">server gated cryptography</a></li> -<li><a href="#ToC5">stronger per-directory requirements</a></li> -<li><a href="#ToC6">Client Authentication and Access Control</a></li> -<li><a href="#ToC7">simple certificate-based client authentication</a></li> -<li><a href="#ToC8">selective certificate-based client authentication</a></li> -<li><a href="#ToC9">particular certificate-based client authentication</a></li> -<li><a href="#ToC10">intranet vs. internet authentication</a></li> -</ul> - -<h2><a name="ToC1">Cipher Suites and Enforced Strong Security</a></h2> -<ul> -<p> -<li><a name="ToC2"></a> - <a name="cipher-sslv2"></a> - <strong id="howto"> -How can I create a real SSLv2-only server? -</strong> - [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sslv2"><b>L</b></a>] - <p> -The following creates an SSL server which speaks only the SSLv2 protocol and -its ciphers. -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLProtocol -all +SSLv2 -SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -<li><a name="ToC3"></a> - <a name="cipher-strong"></a> - <strong id="howto"> -How can I create an SSL server which accepts strong encryption only? -</strong> - [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-strong"><b>L</b></a>] - <p> -The following enables only the seven strongest ciphers: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLProtocol all -SSLCipherSuite HIGH:MEDIUM - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -<li><a name="ToC4"></a> - <a name="cipher-sgc"></a> - <strong id="howto"> -How can I create an SSL server which accepts strong encryption only, -but allows export browsers to upgrade to stronger encryption? -</strong> - [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sgc"><b>L</b></a>] - <p> -This facility is called Server Gated Cryptography (SGC) and details you can -find in the <code>README.GlobalID</code> document in the mod_ssl distribution. -In short: The server has a Global ID server certificate, signed by a special -CA certificate from Verisign which enables strong encryption in export -browsers. This works as following: The browser connects with an export cipher, -the server sends its Global ID certificate, the browser verifies it and -subsequently upgrades the cipher suite before any HTTP communication takes -place. The question now is: How can we allow this upgrade, but enforce strong -encryption. Or in other words: Browser either have to initially connect with -strong encryption or have to upgrade to strong encryption, but are not allowed -to keep the export ciphers. The following does the trick: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -# allow all ciphers for the inital handshake, -# so export browsers can upgrade via SGC facility -SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -<Directory /usr/local/apache/htdocs> -# but finally deny all browsers which haven't upgraded -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 -</Directory> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -<li><a name="ToC5"></a> - <a name="cipher-perdir"></a> - <strong id="howto"> -How can I create an SSL server which accepts all types of ciphers in general, -but requires a strong ciphers for access to a particular URL? -</strong> - [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-perdir"><b>L</b></a>] - <p> -Obviously you cannot just use a server-wide <code>SSLCipherSuite</code> which -restricts the ciphers to the strong variants. But mod_ssl allows you to -reconfigure the cipher suite in per-directory context and automatically forces -a renegotiation of the SSL parameters to meet the new configuration. So, the -solution is: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -# be liberal in general -SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -<Location /strong/area> -# but https://hostname/strong/area/ and below requires strong ciphers -SSLCipherSuite HIGH:MEDIUM -</Location> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -</ul> -<h2><a name="ToC6">Client Authentication and Access Control</a></h2> -<ul> -<p> -<li><a name="ToC7"></a> - <a name="auth-simple"></a> - <strong id="howto"> -How can I authenticate clients based on certificates when I know all my -clients? -</strong> - [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-simple"><b>L</b></a>] - <p> -When you know your user community (i.e. a closed user group situation), as -it's the case for instance in an Intranet, you can use plain certificate -authentication. All you have to do is to create client certificates signed by -your own CA certificate <code>ca.crt</code> and then verifiy the clients -against this certificate. -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -# require a client certificate which has to be directly -# signed by our CA certificate in ca.crt -SSLVerifyClient require -SSLVerifyDepth 1 -SSLCACertificateFile conf/ssl.crt/ca.crt - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -<li><a name="ToC8"></a> - <a name="auth-selective"></a> - <strong id="howto"> -How can I authenticate my clients for a particular URL based on certificates -but still allow arbitrary clients to access the remaining parts of the server? -</strong> - [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-selective"><b>L</b></a>] - <p> -For this we again use the per-directory reconfiguration feature of mod_ssl: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLVerifyClient none -SSLCACertificateFile conf/ssl.crt/ca.crt -<Location /secure/area> -SSLVerifyClient require -SSLVerifyDepth 1 -</Location> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -<li><a name="ToC9"></a> - <a name="auth-particular"></a> - <strong id="howto"> -How can I authenticate only particular clients for a some URLs based -on certificates but still allow arbitrary clients to access the remaining -parts of the server? -</strong> - [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-particular"><b>L</b></a>] - <p> -The key is to check for various ingredients of the client certficate. Usually -this means to check the whole or part of the Distinguished Name (DN) of the -Subject. For this two methods exists: The <code>mod_auth</code> based variant -and the <code>SSLRequire</code> variant. The first method is good when the -clients are of totally different type, i.e. when their DNs have no common -fields (usually the organisation, etc.). In this case you've to establish a -password database containing <em>all</em> clients. The second method is better -when your clients are all part of a common hierarchy which is encoded into the -DN. Then you can match them more easily. -<p> -The first method: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLVerifyClient none -<Directory /usr/local/apache/htdocs/secure/area> -SSLVerifyClient require -SSLVerifyDepth 5 -SSLCACertificateFile conf/ssl.crt/ca.crt -SSLCACertificatePath conf/ssl.crt -SSLOptions +FakeBasicAuth -SSLRequireSSL -AuthName "Snake Oil Authentication" -AuthType Basic -AuthUserFile /usr/local/apache/conf/httpd.passwd -require valid-user -</Directory> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.passwd</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA -/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA -/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -The second method: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLVerifyClient none -<Directory /usr/local/apache/htdocs/secure/area> -SSLVerifyClient require -SSLVerifyDepth 5 -SSLCACertificateFile conf/ssl.crt/ca.crt -SSLCACertificatePath conf/ssl.crt -SSLOptions +FakeBasicAuth -SSLRequireSSL -SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \ - %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} -</Directory> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -<li><a name="ToC10"></a> - <a name="auth-intranet"></a> - <strong id="howto"> How can -I require HTTPS with strong ciphers and either basic authentication or client -certificates for access to a subarea on the Intranet website for clients -coming from the Internet but still allow plain HTTP access for clients on the -Intranet? -</strong> - [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-intranet"><b>L</b></a>] - <p> -Let us assume the Intranet can be distinguished through the IP network -192.160.1.0/24 and the subarea on the Intranet website has the URL -<tt>/subarea</tt>. Then configure the following outside your HTTPS virtual -host (so it applies to both HTTPS and HTTP): -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLCACertificateFile conf/ssl.crt/company-ca.crt - -<Directory /usr/local/apache/htdocs> -# Outside the subarea only Intranet access is granted -Order deny,allow -Deny from all -Allow from 192.168.1.0/24 -</Directory> - -<Directory /usr/local/apache/htdocs/subarea> -# Inside the subarea any Intranet access is allowed -# but from the Internet only HTTPS + Strong-Cipher + Password -# or the alternative HTTPS + Strong-Cipher + Client-Certificate - -# If HTTPS is used, make sure a strong cipher is used. -# Additionally allow client certs as alternative to basic auth. -SSLVerifyClient optional -SSLVerifyDepth 1 -SSLOptions +FakeBasicAuth +StrictRequire -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - -# Force clients from the Internet to use HTTPS -RewriteEngine on -RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ -RewriteCond %{HTTPS} !=on -RewriteRule .* - [F] - -# Allow Network Access and/or Basic Auth -Satisfy any - -# Network Access Control -Order deny,allow -Deny from all -Allow 192.168.1.0/24 - -# HTTP Basic Authentication -AuthType basic -AuthName "Protected Intranet Area" -AuthUserFile conf/protected.passwd -Require valid-user -</Directory> - -</pre> -</td> - </tr> - </table> - </td> - - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -</ul> - -<p><!--#include virtual="footer.html" --> </p> - </body> -</html> |