Allowing users in from an IP address without certificate client authentication

Here is how I implemented that(xxx.xxx.xxx.xxx - allow access for this address without cert) :

  SSLVerifyClient optional
  SSLOptions -FakeBasicAuth +StrictRequire -StdEnvVars -ExportCertData
  SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

  RewriteEngine on
  RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
  RewriteCond %{REMOTE_ADDR} !^xxx.xxx.xxx.xxx$
  RewriteRule   ^  -  [F]

Note that SSLVerifyClient should NOT be in directory context:

In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.


Presumably, inside your network, the server has a different (internal, private) IP than when accessed from the outside.

In that case, it would be simplest to set up two vhosts - one on in.ter.nal.ip:443, and one on ex.ter.nal.ip:443.

Require client certificates only on the external vhost.