4

We're using an apache 2.4 servers with client certificates to serve http-based services within our organization. Most importantly we call fossil cgi to serve repositories on such a server.

The client certificates are used to assign access permissions to repository categories by using <Files>, SSLRequire and fossil's ability to serve entire directories. I.e.:

<Files internal>
  SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Owner" \
    and %{SSL_CLIENT_S_DN_CN} in {"foo", "bar"}
</Files>
<Files sys>
  SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Admins" \
    and %{SSL_CLIENT_S_DN_CN} in {"foo", "frank"}
</Files>

This works well, but I've started to realize that as we're growing and some people gain wider range of responsibilities this is somewhat cumbersome. Most importantly it's a pain to have to edit the apache config files and restart apache each time permissions are updated.

What mechanisms are there to update apache configurations dynamically? (Specifically SSL rules). Is this something that one could solve using the Lua module and a simple sqlite database for containing the access lists? Is a custom written "Authorization Provider" the proper tool for this job?

cypheratheist
  • 41
  • 2
  • Do changes happen really so often? You could at least generate the Apache config file (that part, separated in as specific file pulled out through an Include) automatically from something else, even including from cron. – Patrick Mevzek Jan 03 '18 at 15:48

1 Answers1

2

First, Apache documentation states that SSLRequire is deprecated, see: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire

Now, some options:

  1. You can probably compute this configuration file automatically from some other resource. So program that and even have it in cron with an Apache reload, this is safe in case of errors and do not create missing requests
  2. Depending on how you provision your content, each part of it could be accompanied with a .htaccess that has the relevant Require in it. I am personally not in favor of using .htaccess snippets but they exist
  3. Have a look at SSLOptions FakeBasicAuth: doing so, the "content" of the client certificate (or any part of the SSL stuff with the AuthBasicFake directive given by the documentation as more powerful) could be exposed through standard Apache authentication mechanisms; so you would just need to fill out the file with all "usernames" (derived from client certificate) and set appropriate restriction on files/directories

I would try very hard to find a workable compromise using only Apache core features even with some programming around them as exposed above, before resorting to big guns like Lua (mod_lua is considered experimental in Apache, and are you sure to have a proper API for all SSL stuff?) or any other language and a database. This sure would work after some effort but it would increase significantly the complexity of the whole system and may lower its reliability.

Patrick Mevzek
  • 8,375
  • 1
  • 20
  • 42