LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-13-2012, 05:14 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
1 webserver, multiple ssl-protected directories


Hello,

is it possible to have different directories, each protected by there own ssl-certificate, on 1 webserver ?

Can you push me towards some info on how to achieving this ?
 
Old 12-13-2012, 05:17 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
well that's just different virtual hosts, nothing specifically interesting about that, but the issue is that you can't serve two certificates from a single ssl port. So if you want this, you would need 2 IP addreses, or use a different port than 443 for one of them.

What you can often do is use SAN's (Subject Alternative Names) in a certificate to hold two hostnames in a single cert, and then that covers both sites just fine, but you have no idea what site is being requested when an SSL connection is being set up, so you can only provide one cert.
 
Old 12-13-2012, 05:36 AM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
What I'm trying to achieve is a bit similar to having different ftp-users.
There is 1 FTP-server, but each user only has access to there own (sub)directory.

I want the same with https : 1 webserver, different directories, each user only access to there own directory

https://webserver.tld/user1
https://webserver.tld/user2
https://webserver.tld/user3
 
Old 12-13-2012, 06:38 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
oh, right, so you want to jail a user to a specific directory? That's easy enough, just use an htaccess directive to only allow certain users in certain places. you can do this with .htaccess files in each directory, or centrally in your httpd.conf file.

Alternatively, maybe you want userdir? http://httpd.apache.org/docs/2.2/howto/public_html.html

Note this all has nothing at all to do with SSL, so be careful how you involve areas that aren't relevant.
 
Old 12-13-2012, 06:55 AM   #5
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
I would use this method (SNI) to use SSL :
http://www.digicert.com/ssl-support/...-using-sni.htm

and so then .htaccess to password protect directories to 1 user

So first, the user must show his identity with the ssl-certificate, then he is "chowned" into his own directory and there he needs to give once more his username and password.

Sounds safe enough for a public http-server ??

Maybe I need to tell you why I need this safe https-server : I would place configuration files in these directories.

Last edited by jonaskellens; 12-13-2012 at 06:57 AM.
 
Old 12-13-2012, 07:01 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
SNI is no use here, you're only looking at using one server. TBH, I didn't realize SNI is officially as well supported as it appears to be, so didn't mention it originally. But either way, you're looking at using client certificates to identify a user, which is fine, but that's not affecting the server cert at all.

Using a user/pass AND a client cert seems like overkill to me. client certs are usually an alternative solution, not a complimentary one.
 
Old 12-13-2012, 08:40 AM   #7
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
So you would only use .htaccess-file to identify/authorize a user to a specific directory ?

I want to use https for secure connection and encrypted sending of user+password, then I need an ssl-certificate right ?!
 
Old 12-13-2012, 10:55 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
if you want an encrypted connection, then you'd need server side SSL only. Client SSL certs are used only for identity assertion, not encryption.
 
Old 12-13-2012, 11:52 AM   #9
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
I'm sorry but I still don't understand 100%.

So I need only 1 ssl-certificate for the 1 webserver ? And this same ssl-certificate on all the clients (like browsers) ?

How do I prevent unauthorized users from entering the wrong directory ??

If I have :

https://webserver.tld/user1
https://webserver.tld/user2
https://webserver.tld/user3

How do I prevent user3 from entering https://webserver.tld/user1 or https://webserver.tld/user2 ?


Thanks.
 
Old 12-13-2012, 04:20 PM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
plenty of good docs about htaccess files, e.g. http://www.elated.com/articles/passw...with-htaccess/

I don't like the individual files, and apache foundation officially recommend not using them, and putting the directives in httpd.conf instead. However they are good for understanding how the jigsaw fits together a bit easier.

the htaccess stuff will only allow certain users in certain directories, that's all you really seem to want. The SSL stuff is just bog standard SSL, no user specific angle on it.
 
1 members found this post helpful.
Old 12-14-2012, 03:07 AM   #11
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
So to answer my question : How do I prevent user3 from entering https://webserver.tld/user1 or https://webserver.tld/user2 ?

-> I do this with htaccess (or with directives).


And then to make the connection encrypted, I need SSL with a certificate on the server.

Can you point me to information on identity assertion for Client SSL certs ?
 
Old 12-14-2012, 03:10 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
first part - yes.

second part - http://httpd.apache.org/docs/2.2/ssl...#accesscontrol
 
Old 12-14-2012, 04:35 PM   #13
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
I will point out a possible oversight on how apache actually works...

Any file apache has access to can read, and (unless ownership/security labeling blocks it) can also be updated.

User identification stops at the apache web server. It can identify a user... but it can not reliably partition the data apache has access to. Once the server is entered, any bug in apache can be used to access any file the apache user id has access to.

This is unlike ssh, where each user is separately identified to the kernel.

All apache logins look the same...

Now this applies mostly to the CGI applications. Basic file access is still handled by apache (beware PHP useage - this is a CGI and no CGI has effective identity)

Last edited by jpollard; 12-14-2012 at 04:37 PM.
 
1 members found this post helpful.
Old 12-14-2012, 05:22 PM   #14
Habitual
LQ Addict
 
Registered: Jan 2011
Location: Youngstown, Ohio
Distribution: LM17.1/Xfce4.11.8
Posts: 7,166
Blog Entries: 10

Rep: Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979
Quote:
How do I prevent unauthorized users from entering the wrong directory ??

If I have :

https://webserver.tld/user1
https://webserver.tld/user2
https://webserver.tld/user3
Maybe it'd help if you thought of those as domains, or Hosts (really <VirtualHosts *:80>) and not actual breathing end-users.
Now, they very well could be called /user[123] and you have every right to do so.

Your "users" are seen as "clients" in terms of the apache service daemon. It's a client-server world.

Unless user1,2, and 3 all sit in the same chair, how would user3 even 'know' about /user[12] url?

Those easily could be
https://webserver.tld/HumanResources
https://webserver.tld/Engineering
https://webserver.tld/Shipping


Quote:
How do I prevent user3 from entering https://webserver.tld/user1 or https://webserver.tld/user2 ?
...
Exactly One .htaccess in each of the directories. Each file in each directory will have its own version of
Code:
<Limit GET POST>
order deny,allow
deny from all
allow from
...
If you don't have access to httpd.conf then your only option is to use an .htaccess file.

Here's all my links (besides the excellent ones posted already!)
  1. .htaccess tricks and tips - Part I
  2. .htaccess tricks and tips - Part II
  3. Forcing or eliminating the WWW
  4. Rewrites and https
  5. Anti-leech
  6. .htaccess files useful tips and tricks
  7. Comprehensive guide to .htaccess - Blocking bad bots
  8. Ten awesome .htaccess hacks for WordPress
  9. The A-Z of WordPress .htaccess hacks
  10. Htaccess tricks
Good luck.

Last edited by Habitual; 12-14-2012 at 06:03 PM.
 
Old 12-16-2012, 06:24 AM   #15
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
My end goal also is to only allow users with the right client ssl-certificate to enter the directory.

All the other attempts to access the webserver of a certain directory need to be rejected.

How can I do this ?

I would give every client a (self-signed) certificate, which has been signed by my own CA, to give access.
How do I reject all other requests on port 443 ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Debian Apache2 protected directories user1234321 Linux - Server 4 07-06-2007 07:27 AM
Help with CVSWeb and protected directories required. theVman Linux - Newbie 1 10-13-2006 01:09 PM
protected directories tommytomato Linux - Security 2 01-11-2004 11:34 PM
password protected directories dsgdevil Linux - General 1 02-17-2003 01:02 AM
Password Protected Directories TheSockMonster Linux - Security 2 05-31-2002 05:07 PM


All times are GMT -5. The time now is 08:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration