For security reasons, the authentication for a web application should be migrated to SSL client certificates. It should be possible to log in with either username/password or SSL. In addition, users from the intranet should be allowed to use the App without additional authentication.
We have tried to implement this scenario according to the official documentation, but without success.
Here is our current config
<Directory /opt/app/system/html>
RedirectMatch permanent ^/$ /exec/login.pl
Options -Indexes +FollowSymLinks
SSLVerifyClient optional
SSLVerifyDepth 2
SSLRequire %{SSL_CLIENT_I_DN_O} eq "Company_O"
SSLOptions +FakeBasicAuth
Satisfy any
AuthType Basic
AuthName "Zugriffsschutz"
AuthBasicProvider file
AuthUserFile /etc/apache2/htaccess/iapp.passwd
require valid-user
Order allow,deny
Allow from 10.20.0.0/255.255.0.0
Allow from 10.144.100
</Directory>
With this configuration, a client certificate is not even requested. If we remove the basic auth configuration, the SSL client authentication works well.
Best Answer
The question is three months old so my answer may not be needed by the OP but it may help anyone wanting this configuration.
The question is tagged apache-2.4 but the configuration looks like one which is appropriate for 2.2. This isn't entirely surprising as many examples in the Apache 2.4 documentation seem themselves not to be appropriate to 2.4.
I had such a configuration working in 2.2 (except for the "Allow from " which didn't work) and had to rewrite it for 2.4. I found that it needed some elements which weren't immediately apparent in the documentation.
I offer no warranty for this; it's based on my configuration file with no testing.
+StrictRequire
may not be needed inSSLOptions
- I haven't tried without it, but it does work this way.For that matter, the
SSLOptions
line may not be required at all - the+FakeBasicAuth
option probably isn't being used. In the configuration I have here, as soon asCompany_O
is found in the certificate, access will be granted. As I understand it,+FakeBasicAuth
is used withRequire valid-user
(alone) and access is granted if the DN from the certificate is found in the user list defined inAuthUserFile
, along with an appropriate password. My system doesn't work that way, and I suspect that the OP didn't want to do that either.I do have
in a different configuration file - it could be that that is an important part of the recipe.
What took me a while to get this working was that it seemed that the
Require expr %{SSL_CLIENT
bit would work on its own but eventually I realised thatRequire ssl-verify-client
was also required (see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#authzproviders)