Ssl – Apache: force client side certificate authentication for internet visitor, no authentication for localhost

apache-2.2httpd.confssl

How I can let Apache force client side certificate authentication upon guests from the internet, but require no authentication for the localhost?

Both should use https, and read the same dir, preferably on the same port.

I have a client side certificate config setup that works, now I need to add the no auth localhost access.

Does anyone have a good httpd.conf template? I tried using http://www.modssl.org/docs/2.8/ssl_howto.html#ToC10 but I could not get this to work (and that example is also not exactly what I need.)

Best Answer

The configuration of ssl is completely separate from checking which hosts can access a directory.

To require authentication from anyone but localhost, you can use the satisfy parameter and do something like this:

Allow from localhost 127.0.0.1
Require valid-user
Satisfy Any

What the above says is that a user must either authenticate or be coming from the localhost in order to access the server.

There is a decent example using Satisfy Any on the official apache docs also. It explains where in the apache configuration something like this is allowed. http://httpd.apache.org/docs/2.0/mod/core.html#satisfy

Update based on comments: Why not simply configure two virtual hosts? One with a catch all (*:443) that does client-certificate authentication and another host (127.0.0.1:443) listening only on the localhost that does regular ssl? You can set the document root to be the same directory for both virtual servers.

Best Answer

Related Solutions

Ssl_error_handshake_failure_alert with Commercial CA-based client certificate

SSL Certificate – Troubleshoot Client Side Authentication Failure

Related Topic