Topic
  • 2 replies
  • Latest Post - ‏2012-09-14T22:44:20Z by SystemAdmin
SystemAdmin
SystemAdmin
3908 Posts

Pinned topic Restricting access to SSL enabled virtual host by URI by certificate

‏2012-09-14T17:16:54Z |
HI Folks,

I have a requirement for the following:
1. SSL enable a virtual host and enable client authentication
2. restrict access to the virtual host to a select set of clients (each with their own certificate
3. restrict access to certain URIs to certain clients

It is the Point #2 that I'm having trouble with.
The following is the vhost configuration I have do far (this is a stropped down version of the vhost config and excluded logging config, cipher bans, etc.)

Listen 0.0.0.0:443
<VirtualHost 0.0.0.0:443>
SSLEnable
SSLClientAuth required_reset
SSLClientAuthRequire (CommonName="abc.acme.ca" || CommonName="def.acme.ca")
SetEnvIf SSL_CLIENT_DN "^CN=abc\.acme\.ca,OU=eBSSTIS,O=The\ ACME\ Company,L=Toronto,ST=Ontario,C=CA$" allow_acme_cert_abc
SetEnvIf SSL_CLIENT_DN "^CN=def\.acme\.ca,OU=eBSSTIS,O=The\ ACME\ Company,L=Toronto,ST=Ontario,C=CA$" allow_acme_cert_def
<Location /uri/test1>
Order Deny,Allow
Deny from all
Allow from env=allow_acme_cert_abc
</Location>
<Location /uri/test2>
Order Deny,Allow
Deny from all
Allow from env=allow_acme_cert_def
</Location>
</VirtualHost>

It is the SetEnvIf configuration directive I am having trouble with. Which environment variable do I check for the SSL client DB? I am aware of the SSL_CLIENT_DN environment variable and I am using this successfully to log the client DN in an access log, however I cannot figure out how to get this environment variable to work ni my SetEnvIf config.

FYI - I am aware of the option to get around this by defining a separate virtual host however that is not a possible config in this case.

Thanks in advance.
Updated on 2012-09-14T22:44:20Z at 2012-09-14T22:44:20Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: Restricting access to SSL enabled virtual host by URI by certificate

    ‏2012-09-14T17:18:59Z  
    Correction, that should read "It is the Point #3 that I'm having trouble with."
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: Restricting access to SSL enabled virtual host by URI by certificate

    ‏2012-09-14T22:44:20Z  
    Sometimes you get inspired after posting a request...I found the solution by doing the following using the above example:

    Listen 0.0.0.0:443
    <VirtualHost 0.0.0.0:443>
    SSLEnable
    SSLClientAuth required_reset
    SSLClientAuthRequire (CommonName="abc.acme.ca" || CommonName="def.acme.ca")
    <Location /uri/test1>
    RewriteEngine On
    RewriteCond %{ENV:SSL_CLIENT_CN} !^abc\.acme\.ca$
    RewriteRule ^ - [F]
    </Location>
    <Location /uri/test2>
    RewriteEngine On
    RewriteCond %{ENV:SSL_CLIENT_CN} !^def\.acme\.ca$
    RewriteRule ^ - [F]
    </Location>
    </VirtualHost>