logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.




How to bypass SSLVerifyClient for specific IP Address

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
matthewcm



Joined: 30 Jan 2018
Posts: 2

PostPosted: Tue 30 Jan '18 18:57    Post subject: How to bypass SSLVerifyClient for specific IP Address Reply with quote

Hello all,

I'm fairly new to HTTPD so I need some insight from the pro's.

The previous admins set up HTTPD on a Linux box. It is configured to read Certs by the user accessing a specific DNS (ex: https://cxg-now-test.abc). A reverse proxy is then used to send the user to a the app server ,if their cert is valid, which resides on the same box. This works great.

In my HTTPD config, I have a section like this:

Code:
<VirtualHost>
...
SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +ExportCertData +StdEnvVars
SSLCACertificateFile <path to cert>
</VirtualHost>


Whenever someone accesses https://cxg-now-test.abc, their cert is read and are sent to the app. Again this works great.

What I'd like to do is bypass the SSLVerifyClient from a particular DNS or IP Address. Ex: 10.54.12.34

I know I can set SSLVerifyClient to 'optional' but that does not seem very secure to me.

I think the ultimate solution would be this:

All Users: SSLVerifyClient require
10.54.12.34: SSLVerifyClient optional

BTW, we're running Apache 2.2


Is this doable?

Any help is greatly appreciated
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6383
Location: Germany, Next to Hamburg

PostPosted: Thu 08 Feb '18 16:23    Post subject: Reply with quote

I found this https://serverfault.com/questions/411858/allowing-users-in-from-an-ip-address-without-certificate-client-authentication

Maybe that works for you, too.
Back to top
matthewcm



Joined: 30 Jan 2018
Posts: 2

PostPosted: Thu 08 Feb '18 16:44    Post subject: Ended up just changing SSLVerifyClient require Reply with quote

So we did some asking around other teams have just changed their SSLVerifyClient to 'optional'

So we're going to do the same. We made the change in DEV and TEST and so far all is good
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1