Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help With Per File/Folder Restriction Based on HTTPS Client Certificate's CN

Status
Not open for further replies.

kevinds

IS-IT--Management
May 13, 2017
1
CA
Howdy,

There are many guides online for setting up client based SSL for websites.

One of the best I've seen so far is dwheeler.com/essays/apache-cac-configuration.html

Now my question is this, and I am sure it is something simple.. How do I setup a server to grant access on a per-file basis, depending on the CN of the client?

If CN=kevinds how can I only allow access to secure.example.com/kevinds.html? CN=tuttle secure.example.com/tuttle.html but not have CN=tuttle access secure.example.com/kevinds.html

Per directory is ok if I have to, secure.example.com/kevinds/kevinds.html but would prefer to keep all files in the same directory..

I keep finding examples on how to allow any client signed by the CA access to all files.. Which works if there was only one certificate accessing the server.

Code:
NameVirtualHost \*:443

	<VirtualHost \*:443>

	  ServerName secure.example.com

	  SSLRequireSSL

## I have a feeling I should be putting the SSLCertificate lines under the NameVirtualHost rather than VirtualHost?

	  SSLCertificateFile    [Filename for server certificate]
	  SSLCertificateKeyFile [Filename for server certificate private key]
	  SSLCertificateChainFile [Filename for root chain certificate]

	  DocumentRoot /var/[URL unfurl="true"]www/vhosts/secure[/URL]

	  SSLOptions           +FakeBasicAuth "%{SSL_CLIENT_S_DN_CN}" +StrictRequire
	  SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128 
	  SSLVerifyClient	require
	  SSLVerifyDepth	10   #Will have to test but 10 should be sufficient to start?
	  SSLCACertificateFile [Same file as SSLCertificateChainFile ?  Is this needed?]

##This next part is the part I believe I have to tweak??  This allows everyone with a cert access rather than just the user to their specific file

	  AuthType             Basic
	  AuthBasicProvider    file
	  AuthUserFile         /var/[URL unfurl="true"]www/vhosts/secure.txt[/URL]
	  Require              valid-user

	</VirtualHost>

Am I close? Way off? Been at this for a few hours.. Feel like I am close now, but still far enough off that I need to ask for help.

> Minor Issue: Anybody know how to change my profile to TechnicalUser? lol I don't see a way yet to edit this..
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top