Ssl – Apache ~ how to force SSL client auth for specific IP

apache-2.2httpsopensslsslssl-certificate

Haven't been able to figure out how to easily manage access to my SSL website.

I'm trying to allow access to a specific location based on client IP.

If client IP = 192.168.x.x => bypass client certificate authentication
If client IP !=192.168.x.x => request client certificate authentication.

I tried several method (URL rewriting, Vhost, Allow,deny,satisfay…. without success..)

My SSL client verification works OK, I'm just stuck with this basic "if" request. I'm running Apache 2.12.

I already tried to implement http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html (section How can I require HTTPS with strong ciphers and either basic authentication or client certificates for access to a subarea on the Intranet website for clients coming from the Internet but still allow plain HTTP access for clients on the Intranet?) but it's not working ..

Quite frustrating because this is exactly what i'm looking for 😉 (except for the authtype basic)

Thanks

<Location /folder>
SSLVerifyClient      require
SSLOptions           +StrictRequire
SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
Satisfy Any
Order deny,allow
Deny from all
Allow from 192.168.x.x
</Location>

Best Answer

Ok so looks like is not possible to do that on Apache < 2.3

I've updated to Apache 2.4 and just added the "if" directive:

<If "%{REMOTE_ADDR} == 'xx.xx.xx.xx">
SSLVerifyClient      require
            SSLOptions           +StrictRequire
            SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
</If>
Related Topic