Created
March 21, 2013 21:05
-
-
Save miohtama/5216738 to your computer and use it in GitHub Desktop.
Enabling SSLCACertificateFile and SSLVerifyClient for one page only in Apache 2.2+
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Apache configuration for running local browser against a locally running xxxx for manual smartcard testing | |
| # Listen 4433 | |
| <VirtualHost 127.0.0.1:4433> | |
| # Real men use mod_proxy | |
| DocumentRoot "/nowhere" | |
| ServerName local-apache | |
| ServerAdmin [email protected] | |
| SSLEngine on | |
| SSLOptions +StdEnvVars +ExportCertData | |
| # Server-side SSL configuration | |
| SSLCertificateFile /etc/apache2/certificate-test/server.crt | |
| SSLCertificateKeyFile /etc/apache2/certificate-test/server.key | |
| # Normal SSL site traffic does not require verify client | |
| SSLVerifyClient none | |
| SSLVerifyDepth 999 | |
| <IfModule mod_proxy.c> | |
| ProxyVia On | |
| # prevent the webserver from beeing used as proxy | |
| <LocationMatch "^[^/]"> | |
| Deny from all | |
| </LocationMatch> | |
| </IfModule> | |
| <Location /@@smartcard-activate-stage-two> | |
| # For real | |
| SSLVerifyClient require | |
| # For testing don't care about certificate integrity that much | |
| #SSLVerifyClient optional_no_ca | |
| SSLCACertificateFile /etc/apache2/certificate-test/ca.crt | |
| # Apache does not natively pass forward headers | |
| # created by SSLOptions +StdEnvVars, | |
| # so we pass them forward to Python using RequestHeader | |
| # from mod_headers | |
| RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e | |
| RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e | |
| </Location> | |
| <Location /@@smartcard-login> | |
| # For real | |
| SSLVerifyClient require | |
| SSLCACertificateFile /etc/apache2/certificate-test/ca.crt | |
| # Apache does not natively pass forward headers | |
| # created by SSLOptions +StdEnvVars, | |
| # so we pass them forward to Python using RequestHeader | |
| # from mod_headers | |
| RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e | |
| RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e | |
| </Location> | |
| # Connect to Plone ZEO client1 running on fg | |
| ProxyPass / http://localhost:8080/VirtualHostBase/https/local-apache:4433/xxxx/xxxxngta/VirtualHostRoot/ | |
| ProxyPassReverse / http://localhost:8080/VirtualHostBase/https/local-apache:4433/xxxx/xxxxngta/VirtualHostRoot/ | |
| </VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Good example, thank you.
Please note though, that
SSLCACertificateFilewouldn't work per location in apache 2.4, so it should be put at the host level.