sslug-teknik team mailing list archive

Thread
Date

apache2.2 httpS kræves pånær fra en enkelt ip

To: sslug-teknik@xxxxxxxx
From: Jon Bendtsen <bendtsen@xxxxxxx>
Date: Fri, 8 Aug 2008 17:44:08 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm

Hej

Jeg prøver at opsætte således at httpS med client certifikat krævesfor alle pånær en enkelt ip addresse.


Jeg har fulgt opskriften i bunden af
	http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

Jeg prøver at lave adgang til nagios, så configurationen er gemt i
/etc/apache2/conf.d/nagios

httpS virker fint, den kræver client certificat som den skal.Problemet er

almindelig http adgang, det virker ikke, og der kommer ingen log besked
som kan forklare mig hvorfor.

Hverken i nagios_rewrite.log eller nagios_error.log eller error.logeller https_error.log

Der kommer entry i access log, både direkte, men også fra den host somburde have

adgang. Hvad pokker går der galt?


# BEGIN FOR NAGIOS
# Bug 160681 and 162986 say that the ScriptAlias should be
#	/cgi-bin/nagios
# but some reports, 164925, (and the default config) say
# that it should be
#	/nagios/cgi-bin
# Anyone having problems with this, PLEASE dig deeper in WHY
# it won't work for you...

ErrorLog /var/log/apache2/nagios_error.log
LogLevel warn
CustomLog /var/log/apache2/nagios_access.log combined

RewriteEngine        on
RewriteLog /var/log/apache2/nagios_rewrite.log
RewriteLogLevel 1



ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios
ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios
<DirectoryMatch /usr/lib/cgi-bin/nagios>
SSLVerifyDepth 1
SSLVerifyClient      optional
SSLOptions           +StrictRequire
SSLRequire       %{SSL_CLIENT_S_DN_OU} eq "sysadm"

Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch

#   Force clients from the Internet to use HTTPS
RewriteEngine        on
RewriteCond          %{REMOTE_ADDR} !^192\.168\.123\.223$
RewriteCond          %{HTTPS} !=on
RewriteRule          .* - [F]

#   Allow Network Access and/or Basic Auth
Satisfy              any

	AllowOverride AuthConfig
	Order Allow,Deny
	Allow From All
</DirectoryMatch>

# Where the stylesheets (config files) reside
Alias /nagios/stylesheets /etc/nagios/stylesheets

# Enable this ScriptAlias if you want to enable the grouplist patch.
# See http://apan.sourceforge.net/download.html for more info
# It allows you to see a clickable list of all hostgroups in the
# left pane of the Nagios web interface
ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios/grouplist.cgi

# Where the HTML pages live(d)
Alias /netsaint /usr/share/nagios/htdocs
Alias /nagios /usr/share/nagios/htdocs
<DirectoryMatch /usr/share/nagios/htdocs>
SSLVerifyDepth 1
SSLVerifyClient      optional
SSLOptions           +StrictRequire
SSLRequire       %{SSL_CLIENT_S_DN_OU} eq "sysadm"

        Options +FollowSymLinks +SymLinksIfOwnerMatch

#   Force clients from the Internet to use HTTPS
RewriteEngine        on
RewriteCond          %{REMOTE_ADDR} !^192\.168\.123\.223$
RewriteCond          %{HTTPS} !=on
RewriteRule          .* - [F]

#   Allow Network Access and/or Basic Auth
Satisfy              any


	AllowOverride AuthConfig
	Order Allow,Deny
	Allow From All

</DirectoryMatch>
# END FOR NAGIOS

Follow ups

Re: apache2.2 httpS kræves pånær fra en enkelt ip
From: Jon Bendtsen, 2008-08-12