Frankly, I don’t believe I’ve been very useful to you because I’m just not “up” on this dealing directly with Apache (cPanel is my “crutch”).
I’m a bit concerned with “FakeBasicAuth”, though. Try a search at apache.org for that before going to Google for information as that’s what I’d have to do.
Indeed! M$ has never been much of a fan of security and, what they do, they reinvent (or … well, I won’t get into their business ethics) how to do things (just to remain incompatible, I believe) so they won’t use the standard encryption for passwords.
“Windows does NOT create that file properly so you’ll need” ((((
Must write a letter Bill Gates!
“If I disconnect «SSLOptions FakeBasicAuth» (#SSLOptions FakeBasicAuth), then everything works. But in this decision is not binding the certificate to the user account.”
Why Sign works with # SSLOptions FakeBasicAuth ?
Maybe it’s bug Apache?
hmmmm…
All Internet searched … no solution (((
I will continue to look…
FakeBasicAuth
When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client’s X509 Certificate (can be determined by running OpenSSL’s openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user. [B]Every entry in the user file needs this password: xxj31ZMTZzkVA'', which is the DES-encrypted version of the word `password''[/B]. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: $1$OXLyS…$Owx8s2/m9/gfkcRVXzgoE/‘’.
From memory (rusty now, of course), that should ask you for the title of the password window Apache will present as well as the location of the username : password file. From memory (again), Windows does NOT create that file properly so you’ll need to look for an application online which can create the passwords for you in the proper format (those pages will normally also provide a full documentation on how to create, store and use the password protection scheme).
I’m NOT much help in this regard as I’m on a WinDoze box as a test server but leave all this to cPanel on the production server. cPanel takes all the pain out of this process so I’ve gotten lazy (lazier? ) in my old age.
I could not find information on CN: (
Can or not to register the IP address in CN?
All checked this link http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#accesscontrol
What is the cause mistake I did not understand. I want to solve this problem. Maybe you know the developers of Apache? Maybe they ask what the reason for the error? I understood that I was doing wrong.
Please do not worry about the language (other than that English use is required). I remember almost nothing of my university Russian, high school French or my junior high (middle school?) Latin. In other words, your English is much better than my {any other human language}.
Now, to your question: Although I insist on a Linux box for a production server, I rely on WHM/cPanel to deal with the (signed) Secure Server Certificates as well as password protecting directories. Of course, I supplement each with both mod_rewrite and PHP scripts to ensure that “secure” pages are processed via SSL and “casual” pages are not.
Because it’s after midnight (and I’m up to my ears in preparing taxes), I can’t go research at Apache.org but it’s my feeling that you’re making it more complicated than necessary: Use the Secure Server Certificate to have your pages encrypted and use password protected directories deal with the directory permissions.
# Force clients from the Internet to use HTTPS
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^192\\.168\\.1\\.[0-9]+$
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
That merely FAILs any request from the LAN (192.168.1.x) which is not using the Secure Server.
Other than that, tonight, my brain is fried and I’m headed to bed.
Thank you for your reply! This question is asked in different forums and only you responded. My English is not very good. I would be grateful if you would write in simple language.
When you create a certificate, you can write in commonName IP-address?
If I disconnect «SSLOptions FakeBasicAuth» (#SSLOptions FakeBasicAuth), then everything works. But in this decision is not binding the certificate to the user account.