Skip to content

Instantly share code, notes, and snippets.

@trasherdk
Forked from miohtama/gist:5216738
Created October 28, 2021 04:19
Show Gist options
  • Save trasherdk/16c9a07a95e3cefe9f6b5d3ea3de24b8 to your computer and use it in GitHub Desktop.
Save trasherdk/16c9a07a95e3cefe9f6b5d3ea3de24b8 to your computer and use it in GitHub Desktop.
Enabling SSLCACertificateFile and SSLVerifyClient for one page only in Apache 2.2+
# Apache configuration for running local browser against a locally running xxxx for manual smartcard testing
# Listen 4433
<VirtualHost 127.0.0.1:4433>
# Real men use mod_proxy
DocumentRoot "/nowhere"
ServerName local-apache
ServerAdmin [email protected]
SSLEngine on
SSLOptions +StdEnvVars +ExportCertData
# Server-side SSL configuration
SSLCertificateFile /etc/apache2/certificate-test/server.crt
SSLCertificateKeyFile /etc/apache2/certificate-test/server.key
# Normal SSL site traffic does not require verify client
SSLVerifyClient none
SSLVerifyDepth 999
<IfModule mod_proxy.c>
ProxyVia On
# prevent the webserver from beeing used as proxy
<LocationMatch "^[^/]">
Deny from all
</LocationMatch>
</IfModule>
<Location /@@smartcard-activate-stage-two>
# For real
SSLVerifyClient require
# For testing don't care about certificate integrity that much
#SSLVerifyClient optional_no_ca
SSLCACertificateFile /etc/apache2/certificate-test/ca.crt
# Apache does not natively pass forward headers
# created by SSLOptions +StdEnvVars,
# so we pass them forward to Python using RequestHeader
# from mod_headers
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
</Location>
<Location /@@smartcard-login>
# For real
SSLVerifyClient require
SSLCACertificateFile /etc/apache2/certificate-test/ca.crt
# Apache does not natively pass forward headers
# created by SSLOptions +StdEnvVars,
# so we pass them forward to Python using RequestHeader
# from mod_headers
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
</Location>
# Connect to Plone ZEO client1 running on fg
ProxyPass / http://localhost:8080/VirtualHostBase/https/local-apache:4433/xxxx/xxxxngta/VirtualHostRoot/
ProxyPassReverse / http://localhost:8080/VirtualHostBase/https/local-apache:4433/xxxx/xxxxngta/VirtualHostRoot/
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment