Apache Security - Ivan Ristic [95]
Chapter 4 discusses cryptography, SSL, and client certificates. Here, I bring a couple of authentication-related points to your attention. Only two directives are needed to start asking clients to present their private certificates provided everything else SSL-related has been configured:
SSLVerifyClient require
SSLVerifyDepth 1
This and the use of the SSLRequireSSL directive to enforce SSL-only access for a host or a directory will ensure only strong authentication takes place.
The SSLRequire directive allows fine access control using arbitrarily complex boolean expressions and any of the Apache environment variables. The following (added to a directory context somewhere) will limit access to a web site only to customer services staff and only during business hours:
SSLRequire ( %{SSL_CLIENT_S_DN_OU} eq "Customer Services" ) and \
( %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 ) and \
( %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 19 )
* * *
Warning
SSLRequire works only for SSL-enabled sites. Attempts to use this directive to perform access control for nonencrypted sites will silently fail because expressions will not be evaluated. Use mod_rewrite for non-SSL sites instead.
* * *
The full reference for the SSLRequire directive is available in the Apache documentation:
http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslrequire
Network Access Control
Network access control is performed with the help of the mod_access module. Directives Allow and Deny are used to allow or deny access to a directory. Each directive takes a hostname, an IP address, or a fragment of either of the two. (Fragments will be taken to refer to many addresses.) A third directive, Order, determines the order in which allow and deny actions are evaluated. This may sound confusing and it is (always has been to me), so let us see how it works in practice.
To allow access to a directory from the internal network only (assuming the network uses the 192.168.254.x network range):
Order Deny,Allow
Deny from all
Allow from 192.168.254.
You are not required to use IP addresses for network access control. The following identification formats are allowed:
192.168.254.125
Just one IP address
192.168.254
Whole network segment, one C class
192.168.254.0/24
Whole network segment, one C class
192.168.254.0/255.255.255.0
Whole network segment, one C class
ivanr.thinkingstone.com
Just one IP address, resolved at runtime
.thinkingstone.com
IP address of any subdomain, resolved at runtime
* * *
Tip
A performance penalty is incurred when domain names are used for network access control because Apache must perform a reverse DNS lookup to convert the IP address into a name. In fact, Apache will perform another forward lookup to ensure the name points back to the same IP address. This is necessary because sometimes many names are associated with an IP address (for example, in name-based shared hosting).
* * *
Do the following to let anyone but the users from the internal network access the directory:
Order Allow,Deny
Allow from all
Deny from 192.168.254.
The addresses in Allow and Deny can overlap. This feature can be used to create exceptions for an IP address or an IP address range, as in the following example, where access is allowed to users from the internal network but is explicitly forbidden to the user whose workstation uses the IP address 192.168.254.125:
Order Allow,Deny
Allow from 192.168.254.
Deny from 192.168.254.125
# Access will be implicitly denied to requests
# that have not been explicitly allowed.
With Order set to Allow,Deny, access is denied by default;