{"id":2433,"date":"2017-04-16T06:45:54","date_gmt":"2017-04-16T06:45:54","guid":{"rendered":"http:\/\/pariswells.com\/blog\/?p=2433"},"modified":"2022-12-02T00:39:38","modified_gmt":"2022-12-02T00:39:38","slug":"securing-apache-to-use-certificate-authentication-auth_x509","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/random\/securing-apache-to-use-certificate-authentication-auth_x509","title":{"rendered":"Securing Apache to use Certificate Authentication auth_x509"},"content":{"rendered":"\n<p>Query to see if Certificate Exists via&nbsp; x509 based logins<\/p>\n\n\n<div class=\"wp-block-wab-pastacode\">\n\t<div class=\"code-embed-wrapper\"> <pre class=\"language-markup code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-markup code-embed-code\">&lt;?php<br\/>include(__DIR__.&quot;\/auth_mysql.php&quot;);<br\/><br\/>\/**<br\/> * Mysql based authentication<br\/> * The standard username\/password based authentication library<br\/> *<br\/> * @package CMS<br\/> * @author Sid Karunaratne<br\/> **\/<br\/>class auth_x509 extends auth_mysql<br\/>{<br\/>\tpublic function pre_login()<br\/>\t{<br\/>\t\tforeach($_SERVER as $key =&gt; $value)<br\/>\t\t{<br\/>\t\t\tif (!$value || strncmp($key, \u2019SSL_CLIENT_S_DN_Email\u2019, 21) !== 0)<br\/>\t\t\t\tcontinue;<br\/>\t\t\t$user = $this-&gt;_check_email_is_valid($value);<br\/>\t\t\tif ($user)<br\/>\t\t\t\treturn $user;<br\/>\t\t}<br\/>\t\treturn false;<br\/>\t}<br\/>\t<br\/>\tprotected function _check_email_is_valid($email)<br\/>\t{<br\/>\t\t$user = $this-&gt;db-&gt;select(&quot;<br\/>\t\t\t\t\tu.id,<br\/>\t\t\t\t\tu.name,<br\/>\t\t\t\t\tGROUP_CONCAT(g.id SEPARATOR \u2019,\u2019) as team_ids,<br\/>\t\t\t\t\tu.username as email,<br\/>\t\t\t\t\tGROUP_CONCAT(g.name SEPARATOR \u2019, ?) as teams,<br\/>\t\t\t\t\tpermission_last_set<br\/>\t\t\t\t&quot;)<br\/>\t\t\t-&gt;from(&quot;_auth_user u&quot;)<br\/>\t\t\t-&gt;join(&quot;_auth_user_group_xrefs aux&quot;, &quot;aux.user_id = u.id&quot;)<br\/>\t\t\t-&gt;join(&quot;_auth_group g&quot;, &quot;g.id = aux.group_id&quot;)<br\/>\t\t\t-&gt;where(&quot;u.username&quot;, $email)<br\/>\t\t\t-&gt;group_by(&quot;u.id&quot;)<br\/>\t\t\t-&gt;get()-&gt;result();<br\/>\t\tif (!$user)<br\/>\t\t\treturn false;<br\/>\t\t<br\/>\t\t<br\/>\t\t\/\/ The user is valid<br\/>\t\t$user = array_shift($user);\t\t<br\/>\t\t$user = $this-&gt;_finalise_user_login($user);<br\/>\t\treturn $user;<br\/>\t}<br\/>\t<br\/>\tpublic function login($credentials)<br\/>\t{<br\/>\t\treturn false;<br\/>\t}<br\/>}<br\/>\/\/ END class auth_x509<\/code><\/pre> <div class=\"code-embed-infos\"> <\/div> <\/div><\/div>\n\n\n\n<p>httpd-ssl.conf<\/p>\n\n\n<div class=\"wp-block-wab-pastacode\">\n\t<div class=\"code-embed-wrapper\"> <pre class=\"language-markup code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-markup code-embed-code\">apacheconf\u201d manual=\u201dListen 443<br\/><br\/>SetEnvIf User-Agent &quot;.*MSIE.*&quot; \\<br\/>nokeepalive ssl-unclean-shutdown \\<br\/>downgrade-1.0 force-response-1.0<br\/><br\/>&lt;VirtualHost *:443&gt;<br\/>DocumentRoot &quot;\/srv\/http\/&quot;<br\/>ServerName website.domain.com:443<br\/>ServerAdmin email@address.com<br\/>ErrorLog \/var\/log\/httpd\/ssl.error.log<br\/>TransferLog \/var\/log\/httpd\/ssl.access.log<br\/>BrowserMatch &quot;.*MSIE.*&quot; \\<br\/>nokeepalive ssl-unclean-shutdown \\<br\/>downgrade-1.0 force-response-1.0<br\/><br\/>SSLEngine on<br\/>SSLProtocol -all +TLSv1 +SSLv3<br\/>SSLCipherSuite HIGH:MEDIUM<br\/>SSLProxyEngine off<br\/># The certificate CACert signed<br\/>SSLCertificateFile \/etc\/httpd\/conf\/ssl\/dev.zealothost.net.crt<br\/># The private key<br\/>SSLCertificateKeyFile \/etc\/httpd\/conf\/ssl\/dev.zealothost.net.key<br\/># CACert\u2019s certificate - Seems to not be required<br\/>SSLCertificateChainFile \/etc\/httpd\/conf\/ssl\/ca.crt<br\/># CACert\u2019s certificate - The CA I require certificates to be signed with<br\/>SSLCACertificateFile \/etc\/httpd\/conf\/ssl\/ca-dskort.crt<br\/>SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars +ExportCertData<br\/><br\/>SSLVerifyClient require<br\/>SSLVerifyDepth 1<br\/>&lt;\/VirtualHost&gt;<\/code><\/pre> <div class=\"code-embed-infos\"> <\/div> <\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Query to see if Certificate Exists via&nbsp; x509 based logins httpd-ssl.conf<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[320,4],"tags":[1812,1813,1814],"class_list":["post-2433","post","type-post","status-publish","format-standard","hentry","category-code","category-random","tag-apache","tag-httpd-ssl-conf","tag-x509-based-logins"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/2433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=2433"}],"version-history":[{"count":3,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/2433\/revisions"}],"predecessor-version":[{"id":6444,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/2433\/revisions\/6444"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=2433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=2433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=2433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}