Home / server / Questions / 732880
Accepted
topherg
Asked: 2015-10-31 12:24:15 +0800 CST

Only require Client Certificate for requests not coming from a specific IP

  • 772

I have an Apache 2.4 server running as an SSL Reverse Proxy for a number of servers I have running, and I am introducing some Client Certificate Authentication for this.

However, there are many automated services that use this gateway and cannot be modified to use Client Certificates for authentication, but still require the Reverse Proxy.

Presently, to turn on Client Certificates, I am using:

SSLCADNRequestFile /.../my_ca.crt

SSLVerifyClient require

<Location />
    SSLOptions      +FakeBasicAuth
    AuthName        "Auth Only Area"
    AuthType        Basic
    AuthUserFile    /.../clientAuth.htpasswd
    require         valid-user
</Location>

which works fine.

But, is there any way that I can skip this for any requests that come from (for example) the IP address 12.34.56.78?

ssl-certificate

1 Answers

  1. Best Answer

    Just found the solution, was about to clear my question, but thought it might help someone one day...

    SSLCADNRequestFile /.../ca.crt

<If "%{REMOTE_ADDR} != '12.34.56.78'">
    SSLVerifyClient require
</If>

<Location />
    SSLOptions      +FakeBasicAuth
    AuthName        "Auth Only Area"
    AuthType        Basic
    AuthUserFile    /.../clientAuth.htpasswd
    require         valid-user
</Location>
    • 1