Allowing users in from an IP address without certificate client authentication
Here is how I implemented that(xxx.xxx.xxx.xxx - allow access for this address without cert) :
SSLVerifyClient optional
SSLOptions -FakeBasicAuth +StrictRequire -StdEnvVars -ExportCertData
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xxx.xxx$
RewriteRule ^ - [F]
Note that SSLVerifyClient should NOT be in directory context:
In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.
Presumably, inside your network, the server has a different (internal, private) IP than when accessed from the outside.
In that case, it would be simplest to set up two vhosts - one on in.ter.nal.ip:443, and one on ex.ter.nal.ip:443.
Require client certificates only on the external vhost.