I've been spending an inordinate amount of time playing around with Apache [1], starting with mod_lua [2], which lead me to reconfigure both Apache 2.0.52 (which came installed by default) and Apache 2.3.5 (compiled from source, because mod_lua is only available for Apache 2.3) so they could run at the same time. This lead to using IPv6 (Internet Protocol version 6) because I have almost two dozen “sites” running locally (and as I've found, it's just as easy to use IPv6 addresses as it is IP (Internet Protocol) addresses, although the DNS (Domain Name Service) PTR records get a little silly [3]).
This in turn lead to installing more secure sites locally, because I can (using TinyCA (Certificate Authority) [4] makes it trivial actually), and this lead to a revamp of my secure site [5] (note: the link takes you to an unsecure page—the actual secure site [6] uses a certificate signed by my “certificate authority” which means you'll get a warning [7] which can be avoided by installing the certificate from the unsecure site). And from there, I learned a bit more about authenticating with client certificates [8]. Specifically, isolating certain pages to just individual users.
So, to configure client side certificates, you need to create a client certificate (easy with TinyCA as it's an option when signing a request) and install it in the browser. You then need to install the certificate authority certificate so that Apache can use it to authenticate against the client certificate (um … yeah). In the Apache configuration file, just add:
>
```
SSLCACertificateFile /path/to/ca.crt
```
Then add the appropriate mod_ssl [9] options to the secure site (client-side authentication only works with secure connections). For example, here's my configuration:
>
```
<VirtualHost 66.252.224.242:443>
ServerName secure.conman.org
DocumentRoot /home/spc/web/sites/secure.conman.org/s-htdocs
# ...
<Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \
and %{SSL_CLIENT_S_DN_OU} eq Clients"
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
</VirtualHost>
```
And in order to protect a single file with more stringent controls (and here for example, is my bookmarks file):
>
```
<VirtualHost 66.252.224.242:443>
# ...
<Location /library/bookmarks.html>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \
and %{SSL_CLIENT_S_DN_CN} eq "Sean Conner"
SSLVerifyClient require
SSLVerifyDepth 5
</Location>
</VirtualHost>
```
The <Files> directive in Apache didn't work—I suspect because the <Directory> directive is processed first and it allows anybody from the unit “Clients” access and thus any <Files> directives are ignored, whereas <Location> directives are processed before <Directory> directives, and thus anyone not me is denied access to my bookmarks.
Now, I just need to figure out what to do about some recent updates to Apache [10], since I have some “old/existing clients” to support (namely, Firefox 2 on my Mac, which I can't upgrade because I'm stuck at 10.3.9 on the system, because the DVD (Digital Video Disc) player is borked … )
[3] http://en.wikipedia.org/wiki/Reverse_DNS_lookup#IPv6_reverse_resolution
[4] http://tinyca.sm-zone.net/
[6] https://secure.conman.org/
[7] http://lwn.net/Articles/295810/
[9] http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
[10] http://old.nabble.com/Reading-between-the-lines--changelog-td27799670.html