On Wed, Jul 14, 1999, Ralf S. Engelschall wrote:
> > I'm new to mod_ssl, and I have a question regarding the use of SSLRequire.
> > I am using Apache 1.3.6, mod_ssl 2.3.5, and PHP 3.0.8 on Redhat Linux 6.0.
> >
> > I have looked through the manual, FAQ, the Howto, and tried searching
> > through the mailing list archives but I haven't found a solution. I have a
> > protected section on my website caled /protected. For local Intranet
> > address, I would like to be able to get access using normal HTTP. For
> > Internet requests, HTTPS must be used. In effect, I would like:
> >
> > <Directory "/home/httpd/htdocs/protected">
> > If REMOTE_ADDR =~ 192.168.0.*
> > then Allow
> > else SSLRequireSSL
> > </Directory>
> >
> > Looking at the example httpd.conf, I came up with this:
> >
> > <Directory "/home/httpd/htdocs/protected">
> > SSLRequire %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
> > or %{REMOTE_ADDR} =~ m/^192\.168\.0\.[0-9]{1,3}$/
> > </Directory>
> >
> > It doesn't work, as anyone can get access using http://myhost/protected.
> > Does anyone have any ideas, or can point me to some more reading.
>
> Yes, SSLRequire is only used in SSL contexts, i.e. when SSL is enabled. But
> you don't want this, of course. There are more than one possibility for you,
> I think. You can try Apache's "Satisfy" with "deny"/"allow" plus
> "SSLRequire". You can use a RewriteRule to do the blocking according to
> REMOTE_ADDR, etc. I've currently less time to make a real decision which
> solution would be best (I think the "Satisfy" solution should be it), so
> please try to investigate yourself a little bit. When someone already known a
> good solution let it me know: I'll send add it to the HowTo chapter of
> mod_ssl's user manual.
Ok, I found the issue very interesting and investigated an hour. My proposed
solution follows (it's my WML code for the ssl_howto.wml, so be careful with
the < and >, of course):
| <howto ref="auth-intranet" toc="intranet vs. internet authentication"> How can
| I require HTTPS with strong ciphers and either basic authentication or client
| certificates for access to a subarea on the Intranet website for clients
| coming from the Internet but still allow plain HTTP access for clients on the
| Intranet?
| </howto>
|
| Let us assume the Intranet can be distinguished through the IP network
| 192.160.1.0/24 and the subarea on the Intranet website has the URL
| <tt>/subarea</tt>. Then configure the following outside your HTTPS virtual
| host (so it applies to both HTTPS and HTTP):
|
| <p>
| <config>
| <Directory /usr/local/apache/htdocs>
| \# Outside the subarea only Intranet access is granted
| Order deny,allow
| Deny all
| Allow 192.160.1.0/24
| </Directory>
|
| <Directory /usr/local/apache/htdocs/subarea>
| \# Inside the subarea any Intranet access is allowed
| \# but from the Internet only HTTPS + Strong-Cipher + Password
| \# or the alternative HTTPS + Strong-Cipher + Client-Certificate
|
| \# If HTTPS is used, make sure a strong cipher is used.
| \# Additionally allow client certs as alternative to basic auth.
| SSLVerifyClient optional
| SSLVerifyDepth 1
| SSLCACertificateFile conf/ssl.crt/company-ca.crt
| SSLOptions +FakeBasicAuth +StrictRequire
| SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
|
| \# Force clients from the Internet to use HTTPS
| RewriteEngine on
| RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
| RewriteCond %{HTTPS} !=on
| RewriteRule .* - [F]
|
| \# Allow Network Access and/or Basic Auth
| Satisfy any
|
| \# Network Access Control
| Order deny,allow
| Deny all
| Allow 192.160.1.0/24
|
| \# HTTP Basic Authentication
| AuthType basic
| AuthName "Protected Intranet Area"
| AuthUserFile conf/protected.passwd
| Require valid-user
| </Directory>
| </config>
I've _NOT_ tried it in real life, so do not expect that it already does what
we want here. But I think it's close to what we want. Can someone please try
it out on a server and give me feedback?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
