Hello,

is it possible to have different directories, each protected by there own ssl-certificate, on 1 webserver ?

Can you push me towards some info on how to achieving this ?

well that's just different virtual hosts, nothing specifically interesting about that, but the issue is that you can't serve two certificates from a single ssl port. So if you want this, you would need 2 IP addreses, or use a different port than 443 for one of them.

What you can often do is use SAN's (Subject Alternative Names) in a certificate to hold two hostnames in a single cert, and then that covers both sites just fine, but you have no idea what site is being requested when an SSL connection is being set up, so you can only provide one cert.

What I'm trying to achieve is a bit similar to having different ftp-users.
There is 1 FTP-server, but each user only has access to there own (sub)directory.

I want the same with https : 1 webserver, different directories, each user only access to there own directory

https://webserver.tld/user1
https://webserver.tld/user2
https://webserver.tld/user3

oh, right, so you want to jail a user to a specific directory? That's easy enough, just use an htaccess directive to only allow certain users in certain places. you can do this with .htaccess files in each directory, or centrally in your httpd.conf file.

Alternatively, maybe you want userdir? http://httpd.apache.org/docs/2.2/howto/public_html.html

Note this all has nothing at all to do with SSL, so be careful how you involve areas that aren't relevant.

I would use this method (SNI) to use SSL :
http://www.digicert.com/ssl-support/...-using-sni.htm

and so then .htaccess to password protect directories to 1 user

So first, the user must show his identity with the ssl-certificate, then he is "chowned" into his own directory and there he needs to give once more his username and password.

Sounds safe enough for a public http-server ??

Maybe I need to tell you why I need this safe https-server : I would place configuration files in these directories.

SNI is no use here, you're only looking at using one server. TBH, I didn't realize SNI is officially as well supported as it appears to be, so didn't mention it originally. But either way, you're looking at using client certificates to identify a user, which is fine, but that's not affecting the server cert at all.

Using a user/pass AND a client cert seems like overkill to me. client certs are usually an alternative solution, not a complimentary one.

So you would only use .htaccess-file to identify/authorize a user to a specific directory ?

I want to use https for secure connection and encrypted sending of user+password, then I need an ssl-certificate right ?!

if you want an encrypted connection, then you'd need server side SSL only. Client SSL certs are used only for identity assertion, not encryption.

I'm sorry but I still don't understand 100%.

So I need only 1 ssl-certificate for the 1 webserver ? And this same ssl-certificate on all the clients (like browsers) ?

How do I prevent unauthorized users from entering the wrong directory ??

If I have :

https://webserver.tld/user1
https://webserver.tld/user2
https://webserver.tld/user3

How do I prevent user3 from entering https://webserver.tld/user1 or https://webserver.tld/user2 ?


Thanks.

plenty of good docs about htaccess files, e.g. http://www.elated.com/articles/passw...with-htaccess/

I don't like the individual files, and apache foundation officially recommend not using them, and putting the directives in httpd.conf instead. However they are good for understanding how the jigsaw fits together a bit easier.

the htaccess stuff will only allow certain users in certain directories, that's all you really seem to want. The SSL stuff is just bog standard SSL, no user specific angle on it.

1 members found this post helpful.

So to answer my question : How do I prevent user3 from entering https://webserver.tld/user1 or https://webserver.tld/user2 ?

-> I do this with htaccess (or with directives).


And then to make the connection encrypted, I need SSL with a certificate on the server.

Can you point me to information on identity assertion for Client SSL certs ?

first part - yes.

second part - http://httpd.apache.org/docs/2.2/ssl...#accesscontrol

I will point out a possible oversight on how apache actually works...

Any file apache has access to can read, and (unless ownership/security labeling blocks it) can also be updated.

User identification stops at the apache web server. It can identify a user... but it can not reliably partition the data apache has access to. Once the server is entered, any bug in apache can be used to access any file the apache user id has access to.

This is unlike ssh, where each user is separately identified to the kernel.

All apache logins look the same...

Now this applies mostly to the CGI applications. Basic file access is still handled by apache (beware PHP useage - this is a CGI and no CGI has effective identity)

1 members found this post helpful.

Maybe it'd help if you thought of those as domains, or Hosts (really <VirtualHosts *:80>) and not actual breathing end-users.
Now, they very well could be called /user[123] and you have every right to do so.

Your "users" are seen as "clients" in terms of the apache service daemon. It's a client-server world.

Unless user1,2, and 3 all sit in the same chair, how would user3 even 'know' about /user[12] url?

Those easily could be
https://webserver.tld/HumanResources
https://webserver.tld/Engineering
https://webserver.tld/Shipping


Exactly One .htaccess in each of the directories. Each file in each directory will have its own version of
If you don't have access to httpd.conf then your only option is to use an .htaccess file.

Here's all my links (besides the excellent ones posted already!)

1. .htaccess tricks and tips - Part I
2. .htaccess tricks and tips - Part II
3. Forcing or eliminating the WWW
4. Rewrites and https
5. Anti-leech
6. .htaccess files useful tips and tricks
7. Comprehensive guide to .htaccess - Blocking bad bots
8. Ten awesome .htaccess hacks for WordPress
9. The A-Z of WordPress .htaccess hacks
10. Htaccess tricks

Good luck.

My end goal also is to only allow users with the right client ssl-certificate to enter the directory.

All the other attempts to access the webserver of a certain directory need to be rejected.

How can I do this ?

I would give every client a (self-signed) certificate, which has been signed by my own CA, to give access.
How do I reject all other requests on port 443 ?