I need to allow access to my site without SSL certificates from my office network and with SSL certificates outside.
Here is my configuration:
<Directory /srv/www>
AllowOverride All
Order deny,allow
Deny from all
# office network static IP
Allow from xxx.xxx.xxx.xxx
SSLVerifyClient require
SSLOptions +FakeBasicAuth
AuthName "My secure area"
AuthType Basic
AuthUserFile /etc/httpd/ssl/index
Require valid-user
Satisfy Any
</Directory>
When I'm inside network and have certificate - I can access. When I'm inside network and haven't certificate - I can't access, it requires certificate.
When I'm outside network and have certificate - I can't access, it shows me basic login screen When I'm outside network and haven't certificate - I can't access, it shows me basic login screen
and following configuration works perfectly
<Directory /srv/www>
AllowOverride All
Order deny,allow
Deny from all
Allow from xxx.xxx.xxx.xxx
AuthUserFile /srv/www/htpasswd
AuthName "Restricted Access"
AuthType Basic
Require valid-user
Satisfy Any
</Directory>
Here is how I implemented that(xxx.xxx.xxx.xxx - allow access for this address without cert) :
Note that SSLVerifyClient should NOT be in directory context:
Presumably, inside your network, the server has a different (internal, private) IP than when accessed from the outside.
In that case, it would be simplest to set up two vhosts - one on in.ter.nal.ip:443, and one on ex.ter.nal.ip:443.
Require client certificates only on the external vhost.
I was surprised to find this works in Apache 2.4: