Lately, I had a requirement to configure Apache reverse proxy in such a way to ensure any user logging through the Apache reverse proxy is presenting a valid client certificate if they are not internal users.
Internal users using local network IPs and local domain names should be allowed to access without any certificate validation.
To achieve this, we can use the below simple construct if we are using Apache 2.4.x:
<If "%{REMOTE_ADDR} !~ /^127.0.0.1$/ && %{REMOTE_ADDR} !~ /^192.168.[0-9]+.[0-9]+$/">
SSLVerifyClient require
SSLVerifyDepth 2
</If>
In case we are using Apache 2.2, the config needs to involve mod_rewrite as below:
SSLVerifyClient optional
SSLVerifyDepth 2
<Location / >
Order deny,allow
Deny from all
Satisfy any
Allow from ALL
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteCond %{REMOTE_ADDR} !^127.0.0.1$
RewriteCond %{REMOTE_ADDR} !^192.168.1.[1-9]+$
RewriteRule ^ - [F]
</Location>
Using SSL verifyclient optional will still try to verify clients but will not block their access.
This, allows us to test if the verification worked or not with mod_rewrite as seen above.
