{"id":2433,"date":"2017-04-16T06:45:54","date_gmt":"2017-04-16T06:45:54","guid":{"rendered":"http:\/\/pariswells.com\/blog\/?p=2433"},"modified":"2022-12-02T00:39:38","modified_gmt":"2022-12-02T00:39:38","slug":"securing-apache-to-use-certificate-authentication-auth_x509","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/random\/securing-apache-to-use-certificate-authentication-auth_x509","title":{"rendered":"Securing Apache to use Certificate Authentication auth_x509"},"content":{"rendered":"\n
Query to see if Certificate Exists via x509 based logins<\/p>\n\n\n
\n\t
<?phpinclude(__DIR__."\/auth_mysql.php");\/** * Mysql based authentication * The standard username\/password based authentication library * * @package CMS * @author Sid Karunaratne **\/class auth_x509 extends auth_mysql{\tpublic function pre_login()\t{\t\tforeach($_SERVER as $key => $value)\t\t{\t\t\tif (!$value || strncmp($key, \u2019SSL_CLIENT_S_DN_Email\u2019, 21) !== 0)\t\t\t\tcontinue;\t\t\t$user = $this->_check_email_is_valid($value);\t\t\tif ($user)\t\t\t\treturn $user;\t\t}\t\treturn false;\t}\t\tprotected function _check_email_is_valid($email)\t{\t\t$user = $this->db->select("\t\t\t\t\tu.id,\t\t\t\t\tu.name,\t\t\t\t\tGROUP_CONCAT(g.id SEPARATOR \u2019,\u2019) as team_ids,\t\t\t\t\tu.username as email,\t\t\t\t\tGROUP_CONCAT(g.name SEPARATOR \u2019, ?) as teams,\t\t\t\t\tpermission_last_set\t\t\t\t")\t\t\t->from("_auth_user u")\t\t\t->join("_auth_user_group_xrefs aux", "aux.user_id = u.id")\t\t\t->join("_auth_group g", "g.id = aux.group_id")\t\t\t->where("u.username", $email)\t\t\t->group_by("u.id")\t\t\t->get()->result();\t\tif (!$user)\t\t\treturn false;\t\t\t\t\t\t\/\/ The user is valid\t\t$user = array_shift($user);\t\t\t\t$user = $this->_finalise_user_login($user);\t\treturn $user;\t}\t\tpublic function login($credentials)\t{\t\treturn false;\t}}\/\/ END class auth_x509<\/code><\/pre>
<\/div> <\/div><\/div>\n\n\n\n
httpd-ssl.conf<\/p>\n\n\n
\n\t
apacheconf\u201d manual=\u201dListen 443SetEnvIf User-Agent ".*MSIE.*" \\nokeepalive ssl-unclean-shutdown \\downgrade-1.0 force-response-1.0<VirtualHost *:443>DocumentRoot "\/srv\/http\/"ServerName website.domain.com:443ServerAdmin email@address.comErrorLog \/var\/log\/httpd\/ssl.error.logTransferLog \/var\/log\/httpd\/ssl.access.logBrowserMatch ".*MSIE.*" \\nokeepalive ssl-unclean-shutdown \\downgrade-1.0 force-response-1.0SSLEngine onSSLProtocol -all +TLSv1 +SSLv3SSLCipherSuite HIGH:MEDIUMSSLProxyEngine off# The certificate CACert signedSSLCertificateFile \/etc\/httpd\/conf\/ssl\/dev.zealothost.net.crt# The private keySSLCertificateKeyFile \/etc\/httpd\/conf\/ssl\/dev.zealothost.net.key# CACert\u2019s certificate - Seems to not be requiredSSLCertificateChainFile \/etc\/httpd\/conf\/ssl\/ca.crt# CACert\u2019s certificate - The CA I require certificates to be signed withSSLCACertificateFile \/etc\/httpd\/conf\/ssl\/ca-dskort.crtSSLOptions +StrictRequire +OptRenegotiate +StdEnvVars +ExportCertDataSSLVerifyClient requireSSLVerifyDepth 1<\/VirtualHost><\/code><\/pre>
Query to see if Certificate Exists via x509 based logins httpd-ssl.conf<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[320,4],"tags":[1812,1813,1814],"class_list":["post-2433","post","type-post","status-publish","format-standard","hentry","category-code","category-random","tag-apache","tag-httpd-ssl-conf","tag-x509-based-logins"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t