[[!meta title="Configuring Client-Side Certificate Authentication on Apache"]]
-While it's certainly possible to configure client-side certificate authentication on Apache using the built-in SSL module alone, it's much easier if you use the Apache modules developed for the [scripts.mit.edu](http://scripts.mit.edu) project.
+While it's certainly possible to configure client-side certificate authentication on Apache using the built-in SSL module alone, it's much easier if you use the Apache modules developed for the [scripts.mit.edu](https://scripts.mit.edu) project.
## Installing the modules
-If you're using Ubuntu, Evan Broder has packaged the scripts.mit.edu modules for all current Ubuntu releases in a PPA.
+If you're using Ubuntu, Evan Broder has packaged the scripts.mit.edu modules for all current Ubuntu releases (through 11.x) in a PPA.
The [PPA homepage](https://launchpad.net/~broder/+archive/scripts-http-mods) includes instructions on how to install the PPA on your system, but if you're on Ubuntu Karmic or later, you can just run:
- # add-apt-repository ppa:broder/scripts-http-mods
+ # add-apt-repository ppa:broder/scripts-http-mods ; apt-get update
Once you've installed the PPA, you want to install the libapache2-mod-auth-sslcert and libapache2-mod-authz-afsgroup packages.
# aptitude install libapache2-mod-auth-sslcert libapache2-mod-authz-afsgroup
-You'll also need a working AFS client and the Athena client certificate CA. Both of these can be most easily configured by [installing Debathena](http://debathena.mit.edu/install). You can install any Debathena flavor you'd like, but `debathena-standard` flavor should include everything you need.
+You'll also need a working AFS client and the Athena client certificate CA. Both of these can be most easily configured by [installing Debathena](https://debathena.mit.edu/install). You can install any Debathena flavor you'd like, but `debathena-standard` flavor should include everything you need.
## Configuring Apache
AuthSSLCertStripSuffix "@MIT.EDU"
</Location>
-You also need to require certificate authentication. You can either use `SSLVerifyClient require` or `SSLVerifyClient optional`. `SSLVerifyClient required` has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with `SSLVerifyClient optional` set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets `SSLVerifyClient optional`.
+You also need to require certificate authentication. You can either use `SSLVerifyClient require` or `SSLVerifyClient optional`. `SSLVerifyClient require` has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with `SSLVerifyClient optional` set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets `SSLVerifyClient optional`.
You'll also need to enable the Apache modules.
# a2enmod auth_sslcert
# a2enmod authz_afsgroup
-Once you've done that, the instructions in the [scripts.mit.edu FAQ](http://scripts.mit.edu/faq/15) on configuring certificate access through `.htaccess` files should work.
+Once you've done that, the instructions in the [scripts.mit.edu FAQ](https://scripts.mit.edu/faq/15) on configuring certificate access through `.htaccess` files should work.
sipb-www / wiki.git / blobdiff