Tuesday, April 06, 2010
Client certificates in Apache
I've been spending an inordinate amount of time playing around with Apache, starting with
mod_lua
, which lead me
to reconfigure both Apache 2.0.52 (which came installed by default) and
Apache 2.3.5 (compiled from source, because mod_lua
is only
available for Apache 2.3) so they could run at the same time. This lead to
using IPv6 because I
have almost two dozen “sites” running locally (and as I've found, it's
just as easy to use IPv6 addresses as it is IP addresses, although the DNS PTR
records get
a little silly).
This in turn lead to installing more secure sites locally, because I can (using TinyCA makes it trivial actually), and this lead to a revamp of my secure site (note: the link takes you to an unsecure page—the actual secure site uses a certificate signed by my “certificate authority” which means you'll get a warning which can be avoided by installing the certificate from the unsecure site). And from there, I learned a bit more about authenticating with client certificates. Specifically, isolating certain pages to just individual users.
So, to configure client side certificates, you need to create a client certificate (easy with TinyCA as it's an option when signing a request) and install it in the browser. You then need to install the certificate authority certificate so that Apache can use it to authenticate against the client certificate (um … yeah). In the Apache configuration file, just add:
SSLCACertificateFile /path/to/ca.crt
Then add the appropriate mod_ssl
options to the secure site (client-side authentication only works with
secure connections). For example, here's my configuration:
<VirtualHost 66.252.224.242:443> ServerName secure.conman.org DocumentRoot /home/spc/web/sites/secure.conman.org/s-htdocs # ... <Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library> SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \ and %{SSL_CLIENT_S_DN_OU} eq Clients" SSLVerifyClient require SSLVerifyDepth 5 </Directory> </VirtualHost>
And in order to protect a single file with more stringent controls (and here for example, is my bookmarks file):
<VirtualHost 66.252.224.242:443> # ... <Location /library/bookmarks.html> SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \ and %{SSL_CLIENT_S_DN_CN} eq "Sean Conner" SSLVerifyClient require SSLVerifyDepth 5 </Location> </VirtualHost>
The <Files>
directive in Apache didn't work—I
suspect because the <Directory>
directive is processed
first and it allows anybody from the unit “Clients” access and thus any
<Files>
directives are ignored, whereas
<Location>
directives are processed before
<Directory>
directives, and thus anyone not me
is denied access to my bookmarks.
Now, I just need to figure out what to do about some recent updates to Apache, since I have some “old/existing clients” to support (namely, Firefox 2 on my Mac, which I can't upgrade because I'm stuck at 10.3.9 on the system, because the DVD player is borked … )