我的用户有证书并可以访问我的 Apache 2.4 服务器,这很好。
他们可以用证书访问整个网站。但我希望只有某些用户授予“/private”访问权限。我该如何配置。我的第一次尝试:
<VirtualHost *:443>
DBDriver mysql
DBDParams "dbname=xxx user=xxx pass=xxx"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
SSLEngine On
SSLCertificateFile /etc/apache2/ankara.crt
SSLCertificateKeyFile /etc/apache2/ankara.key
ServerName ankara.example.com
DocumentRoot /var/www/ankara
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile "/etc/apache2/ca.crt"
SSLOptions +StdEnvVars +FakeBasicAuth
SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}e"
<Location "/private">
AuthName "Private"
AuthType Basic
AuthBasicProvider dbd
AuthDBDUserPWQuery \
"SELECT %{SSL_CLIENT_S_DN_CN} "
Require dbd-group team
AuthzDBDQuery "SELECT group FROM group WHERE naam = %s"
</Location>
</VirtualHost>
结果是Internal Server错误。在apache错误日志中:
AH00632:无法准备 SQL 语句:您的 SQL 语法有误;请查看与您的 MariaDB 服务器版本相对应的手册,了解在第 1 行“%{SSL_CLIENT_S_DN_CN}”附近使用的正确语法
知道如何解决这个问题吗?
答案1
我自己解决了这个问题,供任何感兴趣的人参考:
<VirtualHost *:443>
# mod_dbd configuration
DBDriver mysql
DBDParams "dbname=xxx user=xxx pass=xxx"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
SSLEngine On
SSLCertificateFile /etc/apache2/ankara.crt
SSLCertificateKeyFile /etc/apache2/ankara.key
ServerName ankara.example.com
DocumentRoot /var/www/ankara
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile "/etc/apache2/ca.crt"
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
<Location "/">
AuthName "Private"
AuthType Basic
AuthBasicProvider dbd
Require dbd-group team
AuthzDBDQuery "SELECT groep FROM groep WHERE naam = %s"
</Location>
</VirtualHost>
Apache 用证书中的 SSL_CLIENT_S_DN_CN 替换 %s。