This is the kind of thing within the virtual host configuration on the
machine you are proxying to:
<LocationMatch "/">
Order deny,allow
Deny from all
Allow from 10.
AuthType Basic
AuthName "Outside users"
AuthDBUserFile /path/to/dbuserfile
require valid-user
satisfy any
</LocationMatch>
This assumes that your internal network is a class A network starting with
10. as defined in RFC1918. Internal users get in immediately.
You have to use dbmmanage to manage the dbuserfile. It is a good idea to
ensure that the web server has only read-only access to this file.
This works because "/" appears in every single web request, so will match
all requests under your secure site.
-
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
Agnostic (Greek) = Ignoramus (Latin)
>-----Original Message-----
>From: Mike Murray [mailto:[EMAIL PROTECTED]]
>Sent: 24 January 2002 23:49
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: SSL Proxy with Strong Authentication
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi all,
>
>I'm investigating using Apache and SSL for (reverse) proxying
>HTTPS requests;
>however, one of the requirements of the task is to have a strong auth
>mechanism in place.
>
>I had two ideas, both of which have lead me to a dead end:
>
>1. Use the ProxyPass and ProxyPassReverse directives to authorize
>connections, and requiring client certs to authenticate to the server.
>
>2. Using a normal SSL page to authenticate via client certs,
>and using an
>.htaccess file in the DocRoot of the proxy server to auth IP
>addresses.
>
>Both seemed likely, and both have failed. The first because
>the directives
>don't work as I had hoped, and the second because I can't find
>anywhere to
>put an .htaccess file that makes sense to the <Directory
>proxy> section.
>
>So, this is a two-part question: first, does anybody have any
>idea on how to
>use .htaccess to control access to the proxy, and/or, does
>anybody have any
>ideas on what will accomplish this task?
>
> Thanks,
> Mike
>
>- --
>| Mike Murray <[EMAIL PROTECTED]>
>| Scientific Technologist http://www.nCircle.com
>| nCircle Network Security
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (FreeBSD)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE8UJ1WSZ6Dtue7Vb4RAsDDAJwMg0CCcY70/0ombK2ryyN7LkF1ugCfQHsy
>42fEW4GwPOUph+5Jo8tQPBo=
>=gyM/
>-----END PGP SIGNATURE-----
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
-
NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.
RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.
RNIB Registered Charity Number: 226227
Website: http://www.rnib.org.uk
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
