github.com/krum110487/go-htaccess@v0.0.0-20240316004156-60641c8e7598/tests/data/apache_2_2_34/manual/ssl/ssl_howto.html.en (about)

     1  <?xml version="1.0" encoding="ISO-8859-1"?>
     2  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
     3  <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
     4  <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
     5  <!--
     6          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
     7                This file is generated from xml source: DO NOT EDIT
     8          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
     9        -->
    10  <title>SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.2</title>
    11  <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
    12  <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
    13  <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
    14  <script src="../style/scripts/prettify.min.js" type="text/javascript">
    15  </script>
    16  
    17  <link href="../images/favicon.ico" rel="shortcut icon" /><link href="http://httpd.apache.org/docs/current/ssl/ssl_howto.html" rel="canonical" /></head>
    18  <body id="manual-page"><div id="page-header">
    19  <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
    20  <p class="apache">Apache HTTP Server Version 2.2</p>
    21  <img alt="" src="../images/feather.gif" /></div>
    22  <div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
    23  <div id="path">
    24  <a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.2</a> &gt; <a href="./">SSL/TLS</a></div><div id="page-content"><div class="retired"><h4>Please note</h4>
    25              <p> This document refers to a legacy release (<strong>2.2</strong>) of Apache httpd. The active release (<strong>2.4</strong>) is documented <a href="http://httpd.apache.org/docs/current">here</a>. If you have not already upgraded, please follow <a href="http://httpd.apache.org/docs/current/upgrading.html">this link</a> for more information.</p>
    26          <p>You may follow <a href="http://httpd.apache.org/docs/current/ssl/ssl_howto.html">this link</a> to go to the current version of this document.</p></div><div id="preamble"><h1>SSL/TLS Strong Encryption: How-To</h1>
    27  <div class="toplang">
    28  <p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English">&nbsp;en&nbsp;</a></p>
    29  </div>
    30  
    31  <blockquote>
    32  <p>The solution to this problem is trivial
    33  and is left as an exercise for the reader.</p>
    34  
    35  <p class="cite">-- <cite>Standard textbook cookie</cite></p>
    36  </blockquote>
    37  
    38  <p>How to solve particular security problems for an SSL-aware
    39  webserver is not always obvious because of the interactions between SSL,
    40  HTTP and Apache's way of processing requests. This chapter gives
    41  instructions on how to solve some typical situations. Treat it as a first
    42  step to find out the final solution, but always try to understand the 
    43  stuff before you use it. Nothing is worse than using a security solution
    44  without knowing its restrictions and how it interacts with other systems.</p>
    45  </div>
    46  <div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#ciphersuites">Cipher Suites and Enforcing Strong Security</a></li>
    47  <li><img alt="" src="../images/down.gif" /> <a href="#accesscontrol">Client Authentication and Access Control</a></li>
    48  </ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
    49  <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
    50  <div class="section">
    51  <h2><a name="ciphersuites" id="ciphersuites">Cipher Suites and Enforcing Strong Security</a></h2>
    52  
    53  <ul>
    54  <li><a href="#realssl">How can I create a real SSLv2-only server?</a></li>
    55  <li><a href="#onlystrong">How can I create an SSL server which accepts strong encryption only?</a></li>
    56  <li><a href="#upgradeenc">How can I create an SSL server which accepts strong encryption only, but allows
    57  export browsers to upgrade to stronger encryption?</a></li>
    58  <li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but 
    59  requires a strong cipher for access to a particular URL?</a></li>
    60  </ul>
    61  
    62  <h3><a name="realssl" id="realssl">How can I create a real SSLv2-only server?</a></h3>
    63  
    64      <p>The following creates an SSL server which speaks only the SSLv2 protocol and
    65      its ciphers.</p>
    66  
    67      <div class="example"><h3>httpd.conf</h3><p><code>
    68        SSLProtocol -all +SSLv2<br />
    69        SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<br />
    70      </code></p></div>
    71  
    72  
    73  <h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption
    74  only?</a></h3>
    75  
    76      <p>The following enables only the seven strongest ciphers:</p>
    77      <div class="example"><h3>httpd.conf</h3><p><code>
    78        SSLProtocol all<br />
    79        SSLCipherSuite HIGH:MEDIUM<br />
    80      </code></p></div>
    81  
    82  
    83  <h3><a name="upgradeenc" id="upgradeenc">How can I create an SSL server which accepts strong encryption
    84  only, but allows export browsers to upgrade to stronger encryption?</a></h3>
    85  
    86      <p>This facility is called Server Gated Cryptography (SGC) and requires 
    87      a Global ID server certificate, signed by a special CA certificate 
    88      from Verisign. This enables strong encryption in 'export' versions of 
    89      browsers, which traditionally could not support it (because of US export 
    90      restrictions).</p>
    91      <p>When a browser connects with an export cipher, the server sends its Global
    92      ID certificate. The browser verifies this, and can then upgrade its
    93      cipher suite before any HTTP communication takes place. The problem 
    94      lies in allowing browsers to upgrade in this fashion, but still requiring
    95      strong encryption. In other words, we want browsers to either start a 
    96      connection with strong encryption, or to start with export ciphers but 
    97      upgrade to strong encryption before beginning HTTP communication.</p>
    98      <p>This can be done as follows:</p>
    99      <div class="example"><h3>httpd.conf</h3><p><code>
   100        # allow all ciphers for the initial handshake,<br />
   101        # so export browsers can upgrade via SGC facility<br />
   102        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
   103        <br />
   104        &lt;Directory /usr/local/apache2/htdocs&gt;<br />
   105        # but finally deny all browsers which haven't upgraded<br />
   106        SSLRequire %{SSL_CIPHER_USEKEYSIZE} &gt;= 128<br />
   107        &lt;/Directory&gt;
   108      </code></p></div>
   109  
   110  
   111  <h3><a name="strongurl" id="strongurl">How can I create an SSL server which accepts all types of ciphers
   112  in general, but requires a strong ciphers for access to a particular
   113  URL?</a></h3>
   114  
   115      <p>Obviously, a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts 
   116      ciphers to the strong variants, isn't the answer here. However, 
   117      <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> can be reconfigured within <code>Location</code>
   118      blocks, to give a per-directory solution, and can automatically force
   119      a renegotiation of the SSL parameters to meet the new configuration.
   120      This can be done as follows:</p>
   121      <div class="example"><p><code>
   122        # be liberal in general<br />
   123        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
   124        <br />
   125        &lt;Location /strong/area&gt;<br />
   126        # but https://hostname/strong/area/ and below<br />
   127        # requires strong ciphers<br />
   128        SSLCipherSuite HIGH:MEDIUM<br />
   129        &lt;/Location&gt;
   130      </code></p></div>
   131  
   132  </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
   133  <div class="section">
   134  <h2><a name="accesscontrol" id="accesscontrol">Client Authentication and Access Control</a></h2>
   135  
   136  <ul>
   137  <li><a href="#allclients">How can I force clients to authenticate using certificates?</a></li>
   138  <li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a 
   139          particular URL, but still allow arbitrary clients to access the rest of the server?</a></li>
   140  <li><a href="#certauthenticate">How can I allow only clients who have certificates to access a
   141          particular URL, but allow all clients to access the rest of the server?</a></li>
   142  <li><a href="#intranet">How can I require HTTPS with strong ciphers, and either
   143  basic authentication or client certificates, for access to part of the
   144  Intranet website, for clients coming from the Internet?</a></li>
   145  </ul>
   146  
   147  <h3><a name="allclients" id="allclients">How can I force clients to authenticate using certificates?</a></h3>
   148  
   149  
   150      <p>When you know all of your users (eg, as is often the case on a corporate
   151      Intranet), you can require plain certificate authentication. All you
   152      need to do is to create client certificates signed by your own CA
   153      certificate (<code>ca.crt</code>) and then verify the clients against this
   154      certificate.</p>
   155      <div class="example"><h3>httpd.conf</h3><p><code>
   156        # require a client certificate which has to be directly<br />
   157        # signed by our CA certificate in ca.crt<br />
   158        SSLVerifyClient require<br />
   159        SSLVerifyDepth 1<br />
   160        SSLCACertificateFile conf/ssl.crt/ca.crt
   161      </code></p></div>
   162  
   163  
   164  <h3><a name="arbitraryclients" id="arbitraryclients">How can I force clients to authenticate using certificates for a
   165  	particular URL, but still allow arbitrary clients to access the rest of the server?</a></h3>
   166  
   167  
   168  <p>To force clients to authenticate using certificates for a particular URL,
   169  	you can use the per-directory reconfiguration features of <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>:</p>
   170  
   171      <div class="example"><h3>httpd.conf</h3><p><code>
   172      SSLVerifyClient none<br />
   173      SSLCACertificateFile conf/ssl.crt/ca.crt<br />
   174      <br />
   175      &lt;Location /secure/area&gt;<br />
   176      SSLVerifyClient require<br />
   177      SSLVerifyDepth 1<br />
   178      &lt;/Location&gt;<br />
   179      </code></p></div>
   180  
   181  
   182  <h3><a name="certauthenticate" id="certauthenticate">How can I allow only clients who have certificates to access a
   183  	particular URL, but allow all clients to access the rest of the server?</a></h3>
   184  
   185  
   186      <p>The key to doing this is checking that part of the client certificate
   187      matches what you expect. Usually this means checking all or part of the
   188      Distinguished Name (DN), to see if it contains some known string.
   189      There are two ways to do this, using either <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> or
   190      <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>.</p> 
   191      
   192      <p>The <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> method is generally required when
   193      the certificates are completely arbitrary, or when their DNs have
   194      no common fields (usually the organisation, etc.). In this case,
   195      you should establish a password database containing <em>all</em>
   196      clients allowed, as follows:</p>
   197      
   198      <div class="example"><h3>httpd.conf</h3><pre>SSLCACertificateFile conf/ssl.crt/ca.crt
   199  SSLCACertificatePath conf/ssl.crt
   200  SSLVerifyClient      none
   201  
   202  &lt;Directory /usr/local/apache2/htdocs/secure/area&gt;
   203  SSLVerifyClient      require
   204  SSLVerifyDepth       5
   205  SSLOptions           +FakeBasicAuth
   206  SSLRequireSSL
   207  AuthName             "Snake Oil Authentication"
   208  AuthType             Basic
   209  AuthBasicProvider    file
   210  AuthUserFile         /usr/local/apache2/conf/httpd.passwd
   211  Require              valid-user
   212  &lt;/Directory&gt;</pre></div>
   213      
   214      <p>The password used in this example is the DES encrypted string "password".
   215      See the <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more 
   216      information.</p>
   217      
   218      <div class="example"><h3>httpd.passwd</h3><pre>/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
   219  /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
   220  /C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA</pre></div>
   221  
   222      <p>When your clients are all part of a common hierarchy, which is encoded
   223      into the DN, you can match them more easily using <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>, as follows:</p>
   224  
   225  
   226      <div class="example"><h3>httpd.conf</h3><pre>SSLVerifyClient      none
   227  SSLCACertificateFile conf/ssl.crt/ca.crt
   228  SSLCACertificatePath conf/ssl.crt
   229  
   230  &lt;Directory /usr/local/apache2/htdocs/secure/area&gt;
   231    SSLVerifyClient      require
   232    SSLVerifyDepth       5
   233    SSLOptions           +FakeBasicAuth
   234    SSLRequireSSL
   235    SSLRequire       %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." \
   236                 and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
   237  &lt;/Directory&gt;</pre></div>
   238  
   239  
   240  <h3><a name="intranet" id="intranet">How can I require HTTPS with strong ciphers, and either basic
   241  authentication or client certificates, for access to part of the
   242  Intranet website, for clients coming from the Internet? I still want to allow
   243  plain HTTP access for clients on the Intranet.</a></h3>
   244  
   245     
   246     <p>These examples presume that clients on the Intranet have IPs in the range 
   247     192.168.1.0/24, and that the part of the Intranet website you want to allow
   248     internet access to is <code>/usr/local/apache2/htdocs/subarea</code>. 
   249     This configuration should remain outside of your HTTPS virtual host, so
   250     that it applies to both HTTPS and HTTP.</p>
   251  
   252      <div class="example"><h3>httpd.conf</h3><pre>SSLCACertificateFile conf/ssl.crt/company-ca.crt
   253  
   254  &lt;Directory /usr/local/apache2/htdocs&gt;
   255  #   Outside the subarea only Intranet access is granted
   256  Order                deny,allow
   257  Deny                 from all
   258  Allow                from 192.168.1.0/24
   259  &lt;/Directory&gt;
   260  
   261  &lt;Directory /usr/local/apache2/htdocs/subarea&gt;
   262  #   Inside the subarea any Intranet access is allowed
   263  #   but from the Internet only HTTPS + Strong-Cipher + Password
   264  #   or the alternative HTTPS + Strong-Cipher + Client-Certificate
   265  
   266  #   If HTTPS is used, make sure a strong cipher is used.
   267  #   Additionally allow client certs as alternative to basic auth.
   268  SSLVerifyClient      optional
   269  SSLVerifyDepth       1
   270  SSLOptions           +FakeBasicAuth +StrictRequire
   271  SSLRequire           %{SSL_CIPHER_USEKEYSIZE} &gt;= 128
   272  
   273  #   Force clients from the Internet to use HTTPS
   274  RewriteEngine        on
   275  RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
   276  RewriteCond          %{HTTPS} !=on
   277  RewriteRule          .* - [F]
   278  
   279  #   Allow Network Access and/or Basic Auth
   280  Satisfy              any
   281  
   282  #   Network Access Control
   283  Order                deny,allow
   284  Deny                 from all
   285  Allow                192.168.1.0/24
   286  
   287  #   HTTP Basic Authentication
   288  AuthType             basic
   289  AuthName             "Protected Intranet Area"
   290  AuthBasicProvider    file
   291  AuthUserFile         conf/protected.passwd
   292  Require              valid-user
   293  &lt;/Directory&gt;</pre></div>
   294  
   295  </div></div>
   296  <div class="bottomlang">
   297  <p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English">&nbsp;en&nbsp;</a></p>
   298  </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
   299  <script type="text/javascript"><!--//--><![CDATA[//><!--
   300  var comments_shortname = 'httpd';
   301  var comments_identifier = 'http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html';
   302  (function(w, d) {
   303      if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
   304          d.write('<div id="comments_thread"><\/div>');
   305          var s = d.createElement('script');
   306          s.type = 'text/javascript';
   307          s.async = true;
   308          s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
   309          (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
   310      }
   311      else { 
   312          d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
   313      }
   314  })(window, document);
   315  //--><!]]></script></div><div id="footer">
   316  <p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
   317  <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
   318  if (typeof(prettyPrint) !== 'undefined') {
   319      prettyPrint();
   320  }
   321  //--><!]]></script>
   322  </body></html>