Markus Grill wrote:
>
> hi,
>
> after a few tries i got it to create client certificates.
> Further i set the SSLVerifyClient to 2 in the httpd.conf.
> so the webserver only allows access to the web with a valid
> certificate.....
>
> to this situation i have two questions:
> a) is it possible to grant only specific directories the access with
> a valid certificate and the rest of the webspace is granted to all
> or do i need for that purpose several (virtual) webserver?
Use something like:
SSLFakeBasicAuth
<Directory /apache/hosts/special_services>
AllowOverride none
AuthUserFile /apache/authfiles/special_services/ssl_users
AuthType Basic
AuthName Some Really Restricted Stuph
require valid-user
</Directory>
to determine who can do what/where. The auth file will look something
like this:
"/C=uk/L=london/O=the company/OU=creative dept/CN=trusted
user/Email=luser@aol.com:xxj31ZMTZzkVA"
"/C=uk/L=brighton/O=another company/OU=thingy dept/CN=trusted
bloke/Email=bloke@aol.com:xxj31ZMTZzkVA"
Note that each user is all on one line (in case your/my mailer's broken
it up) and the double quotes became important in apache 1.3. The
password is always the same (see Ben's Apache-SSL notes).
>
> b) setting SSLVerifyClient to 2 i know that only users with a client
> certificate can access my webspace but is it possible to check
> which users (identified by his certificate) do which action. and
> is it possible that a users can post a form 'signing' this form with
> his private key so i know for sure that this form was realy submitted
> by him??
As you are using client certificates (which you issued), validated
against a CA cert, you can rely on the X509 provided by the client when
they connect to determine who did (or can do) what.
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers