Re: [users@httpd] allow client certs as alternative to basic auth

Sat, 16 Oct 2010 14:51:06 -0700 

----- "André Pinto" <[email protected]> wrote:

> > why when the user put a valid certificate the server still asking
> user 
> > name and
> > password??

Because "Satisfy any", in fact, doesn't.
dev@ is looking into making this an option.

> > <Directory /usr/local/apache2/htdocs/subarea>
> > #   Inside the subarea any Intranet access is allowed
> > #   but from the Internet only HTTPS + Strong-Cipher + Password
> > #   or the alternative HTTPS + Strong-Cipher + Client-Certificate
> >
> > #   If HTTPS is used, make sure a strong cipher is used.
> > #   Additionally allow client certs as alternative to basic auth.
> > SSLVerifyClient      optional
> > SSLVerifyDepth       1
> > SSLOptions           +FakeBasicAuth +StrictRequire
> > SSLRequire           %{SSL_CIPHER_USEKEYSIZE}>= 128
> >
> > #   Force clients from the Internet to use HTTPS
> > RewriteEngine        on
> > RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
> > RewriteCond          %{HTTPS} !=on
> > RewriteRule          .* - [F]
> >
> > #   Allow Network Access and/or Basic Auth
> > Satisfy              any
> >
> > #   Network Access Control
> > Order                deny,allow
> > Deny                 from all
> > Allow                192.168.1.0/24
> >
> > #   HTTP Basic Authentication
> > AuthType             basic
> > AuthName             "Protected Intranet Area"
> > AuthBasicProvider    file
> > AuthUserFile         conf/protected.passwd
> > Require              valid-user
> > </Directory>/
> >
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [email protected]
>    "   from the digest: [email protected]
> For additional commands, e-mail: [email protected]

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: [email protected]
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
   "   from the digest: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to