06-07-2005 06:57 AM
Hello,
In a situation where SSL Traffic is terminated on a SSL Module.
And having clients which to clientcertification.
There are 2 contents aviable on the webserver.
One for certified users and one for both.
Is there a way to restrict a path of a url to clients which performed a client cert?
And have all other content on that server aviable to both , certified and not certified clients?
Sven
06-07-2005 07:11 AM
Sven,
how can you have clients doing client authentication and other bypassing authentication ?
Do you have 2 rules ?
Do you allow un-authenticated client to go through ?
Are you comparing client doing SSL and client using cleartext ?
If this is the case, you should create 2 rules, when for decrypted traffic and one for cleartext traffic.
Users hitting the cleartext traffic directly on a specific path would be redirected.
The same user hitting the decrypted rule would go through.
Gilles.
06-08-2005 01:14 AM
Hi Gilles,
i have not described my problem at all.
Currently we are doing the SSL Termination on a webserver.
There are two locations specified in the apache config.
Like this:
location /webservices/onlytoca>
SSLVerifyClient require
SSLVeridfyDepth 0
So the path /webservices/onlyToCa is only allowd to clients which did a certification via clientcert.
The /content is allowed to all.
I have to migrate to the SSL-Module because we need to analyse the URL for stickyness.
My question was, is there a way to restrict a url path to clients which did a client certification.
I can set up the ssl-server to ignore certificaton failures.
Also, do you know about the HTTP-Header insert? Is the header to be inserted also if the client has not been certified via cc or only if the client performed a certification?
If not, a solution would be to have 3 contet_rules
one, which checks for a existing of http-header which is set when the request is cerfified.
There i can limit the URL to /webservices/toCaOnly/*
one cr, which allows any other content
one cr, which sends a redirect to a error page. This one should only be accessed if the url is /webservices/toCaOnly and the http header is not set.
I hope i wrote it down clear enough to understand.
Sven
06-08-2005 05:35 AM
Sven,
I think you should enforce user to do clientauthentication and in case of failure redirect the user to another vip where client authentication is not required - could be the same ip but a different port like 444.
If you just allow users to go through if client authentication fails, I don't think the CSS will be able to distinguished a user that successfully passed authentication from one that failed.
If you insert text in the HTTP header, I'm not sure what should happen if the authentication fails.
Don't know if the text will still be included.
That's why I think a redirect on failure to another vip would be easier to implement.
Regards,
Gilles.
06-08-2005 06:21 AM
Hello Gilles,
thanks for your fast response.
But that solution does not work by us.
May you know, there are some credit card companys (visa) which do some certification of System infrastructur in case of security.
As i know, they only allow port 80 and 443 inside the dmz. Thats what we are limited today.
So a request to 444, would never arrive my css, because it is behind a firwall.
So at all, there is no way to implement this on css like the apache weberser supports.
I opend a case, but the tac engeneer gave me the advice to do it via the http-header-rule and the http-header insertion.
Best Regards
Sven
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide