[gentoo-user] Restrict site access by SSL Client Cert?

[gentoo-user] Restrict site access by SSL Client Cert?

[Tanstaafl]

Hi everyone,

I know that you can restrict access to a certain site using either Basic 
HTTP Auth or Digest Auth, but I was wondering - can you do the same with 
an SSL Client Certificate?

I'd like to prevent access to an ancient web based database to only 
users that have a Client Cert that I created for them installed.

Is this possible? I'd also like to provide for IP based exceptions if 
possible, but if I can't do both, I'll just install the Cert for everyone.

Thanks,

Charles

Re: [gentoo-user] Restrict site access by SSL Client Cert?

[Michael Mol]

On Wed, Feb 15, 2012 at 9:46 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi everyone,
>
> I know that you can restrict access to a certain site using either Basic
> HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
> SSL Client Certificate?
>
> I'd like to prevent access to an ancient web based database to only users
> that have a Client Cert that I created for them installed.
>
> Is this possible? I'd also like to provide for IP based exceptions if
> possible, but if I can't do both, I'll just install the Cert for everyone.

Two ways (that I know of) to do this:

1) Configure a front-end proxy like squid to do it.
2) Configure Apache to do it.

I haven't done it myself, though, and I hear the error messages the
OpenSSL libraries give you are cryptic.

-- 
:wq

Re: [gentoo-user] Restrict site access by SSL Client Cert?

[Paul Hartman]

On Wed, Feb 15, 2012 at 8:46 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi everyone,
>
> I know that you can restrict access to a certain site using either Basic
> HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
> SSL Client Certificate?

Yes, you can. The specifics of how depend on what web server you're using.

For Apache, there are some examples of different scenarios here:
https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients

> I'd also like to provide for IP based exceptions if possible

Trivial in Apache using mod_authz_host which is made for that kind of
thing. :)  You can combine the two access methods (allow all if it's
coming from your company's internal IP, otherwise require
certificate).

Re: [gentoo-user] Restrict site access by SSL Client Cert?

[Tanstaafl]

On 2012-02-15 10:46 AM, Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:
> On Wed, Feb 15, 2012 at 8:46 AM, Tanstaafl<tanstaafl@libertytrek.org>  wrote:
>> Hi everyone,
>>
>> I know that you can restrict access to a certain site using either Basic
>> HTTP Auth or Digest Auth, but I was wondering - can you do the same with an
>> SSL Client Certificate?
>
> Yes, you can. The specifics of how depend on what web server you're using.
>
> For Apache, there are some examples of different scenarios here:
> https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients
>
>> I'd also like to provide for IP based exceptions if possible
>
> Trivial in Apache using mod_authz_host which is made for that kind of
> thing. :)  You can combine the two access methods (allow all if it's
> coming from your company's internal IP, otherwise require
> certificate).

Perfect, thanks Paul (and yes this is with Apache)...

Glad to know I can do it, hopefully I can get it working without having 
to sign up to yet another email list to ask for help... ;)