-
작성자:
장민석(KN), 마지막 업데이트: 2020-11-18
1분 읽기
개인 클라이언트 인증서로 접속 가능한 웹서버 설정
Apache HTTPD 2.4 에서 개인 클라이언트 인증서 적용
다음을 httpd.conf 에 추가
- /secure 밑에 있는 URL은 KREONET CA 가 발급한 클라이언트 인증서가 있어야 접속 가능
- AAA.BBB.CCC.DDD/32, BBB.CCC.DDD.EEE/32 는 클라이언트 인증서 없어도 접속 가능
SSLVerifyClient none
SSLCACertificateFile /../kreonet-ca-chain.pem
<Location />
Require all granted
</Location>
<Location /secure>
<If "-R 'AAA.BBB.CCC.DDD/32'">
</If>
<ElseIf "-R 'BBB.CCC.DDD.EEE/32'" >
</ElseIf>
<Else>
SSLVerifyClient require
SSLVerifyDepth 1
</Else>
</Location>
<Macro RotateLogs $domain>
LogLevel warn
ErrorLog "|/usr/sbin/rotatelogs /var/log/httpd/$domain/error_log.%Y%m%d 86400 +540"
TransferLog "|/usr/sbin/rotatelogs /var/log/httpd/$domain/access_log.%Y%m%d 86400 +540"
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/$domain/request_log.%Y%m%d 86400 +540" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%{SSL_CLIENT_I_DN_CN}x][%{SSL_CLIENT_S_DN_CN}x] \"%r\" %b"
</Macro>
<VirtualHost *:443>
Use RotateLogs example.kreonet.net
...
</VirtualHost>
# tail -f /var/log/httpd/example.kreonet.net/request_log.20201118 [18/Nov/2020:15:38:25 +0900] 223.1.190.003 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 [KREONET INTERMEDIATE CA 1][EXAMPLE_USER] "GET /index/html HTTP/1.1" 37582
참고
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol
https://httpd.apache.org/docs/2.4/mod/core.html#elseif
https://superuser.com/questions/1055171/apache-and-support-for-per-directory-ca
https://www.cl.cam.ac.uk/~jw35/courses/using_https/html/x640.htm
https://httpd.apache.org/docs/2.4/ssl/ssl_compat.html
Mutual TLS
https://www.jacobbaek.com/1040
https://www.docusign.com/blog/dsdev-mutual-tls-stuff-know
https://developers.cloudflare.com/access/access-service-auth/mutual-tls-authentication