Allowing users in from an IP address without certificate client authentication

certificate apache-2.2 ssl

Here is how I implemented that(xxx.xxx.xxx.xxx - allow access for this address without cert) :

  SSLVerifyClient optional
  SSLOptions -FakeBasicAuth +StrictRequire -StdEnvVars -ExportCertData
  SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

  RewriteEngine on
  RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
  RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xxx.xxx$
  RewriteRule   ^  -  [F]

Note that SSLVerifyClient should NOT be in directory context:

In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.


Presumably, inside your network, the server has a different (internal, private) IP than when accessed from the outside.

In that case, it would be simplest to set up two vhosts - one on in.ter.nal.ip:443, and one on ex.ter.nal.ip:443.

Require client certificates only on the external vhost.

Related

Send objectGUID as an AD FS 2.0 Claim
Amazon EC2 notifying the instance when the autoscale service terminates it
Global zones visible in all views
Apache Virtual Hosts with SSL
Can not RDP to Win 2003 box or initiate remote restart
IIS6 intranet site using integrated authentication fails to load when accessed externally
Local transparent proxy
Possible to use Powershell to detect if an HP server has a bad drive?
Hyper-V Containers are going to allow running of Linux Containers?
push commits to git (gitolite) repository messes up file permissions (no more trac access)
How can I set the NTFS permissions on a folder for a WORM like behaviour
Ganglia without multicast