버전 비교

이전 버전 4

changes.mady.by.user 장민석(KN)

에 저장

비교대상

새 버전 현재

changes.mady.by.user 장민석(KN)

에 저장

  • 이 줄이 추가되었습니다.
  • 이 줄이 삭제되었습니다.
  • 서식이 변경되었습니다.

...

코드 블럭
languagetext
themeEmacs
linenumberstrue
SSLVerifyClient      none
SSLCACertificateFile /../kreonet-ca-chain.pem

<Location />
    Require all granted
</Location>

<Location /secure>
    <If     "-R 'AAA.BBB.CCC.DDD/32'">
    </If>
    <ElseIf "-R 'BBB.CCC.DDD.EEE/32'" >
    </ElseIf>
    <Else>
        SSLVerifyClient require
        SSLVerifyDepth 1
    </Else>
</Location>



Log for audit

코드 블럭
languagetext
themeEmacs
linenumberstrue
<Macro RotateLogs $domain>
    LogLevel    warn
    ErrorLog    "|/usr/sbin/rotatelogs /var/log/httpd/$domain/error_log.%Y%m%d   86400 +540"
    TransferLog "|/usr/sbin/rotatelogs /var/log/httpd/$domain/access_log.%Y%m%d  86400 +540"
    CustomLog   "|/usr/sbin/rotatelogs /var/log/httpd/$domain/request_log.%Y%m%d 86400 +540" \
                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%{SSL_CLIENT_I_DN_CN}x][%{SSL_CLIENT_S_DN_CN}x] \"%r\" %b"
</Macro>

<VirtualHost *:443>
    Use RotateLogs example.kreonet.net
    ...
</VirtualHost>


Audit Logs

코드 블럭
languagetext
themeEmacs
linenumberstrue
Trial to connect with the following certs
Subject: C=KR, ST=Daejeon, L=Yuseong-gu, O=KISTI, OU=KREONET, CN=NOC

# tail -f /var/log/httpd/example.kreonet.net/request_log.20201118
[18/Nov/2020:15:38:25 +0900] 223.1.190.0033 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 [KREONET INTERMEDIATE CA 1][EXAMPLE_USER] "GET /index/html HTTP/1.1" 37582


If you want to add more constraints, 

코드 블럭
languagetext
themeEmacs
linenumberstrue
<Location /secure>
    SSLOptions +StdEnvVars
    <RequireAny>
        Require expr %{SSL_CLIENT_S_DN_CN} == "demo.connect.docusign.net"
        Require expr %{SSL_CLIENT_S_DN_CN} == "connect.docusign.net"
        Require expr %{SSL_CLIENT_S_DN_CN} == "eu.connect.docusign.net"
    </RequireAny>
</Location>





참고

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol

...