HomeServer25B の履歴(No.1)

[ トップ ]   [ 新規 | 一覧 | 検索 | 最終更新 | ヘルプ ]

• 履歴一覧
• 差分 を表示
• 現在との差分 を表示
• ソース を表示
• HomeServer25B へ行く。
  • 1 (2020-10-08 (木) 23:39:35)
  • 2 (2020-10-09 (金) 00:11:42)
  • 3 (2020-10-13 (火) 09:41:29)

---

考え方†

• mvc (=kgb.hmuna.com) には公式なサーバー証明書を導入済み
• mvc のログイン認証は local IP ゾーン（VPN 接続を含む）は認証なし、その他は One Time パスワード認証を要求
• これに加えクライアント認証を導入し、認証済クライアントはパスワード無しで接続できるようにしたい
• 発行済のサーバー証明書からクライアント証明書を発行する方法が無い（CoMoDo には別にクライアント認証オプションあり）
  • Comodo Client Certificates
• 一方でオレオレ認証ベースでのクライアント証明書を発行する事例は多数参考記事がある
  • オレオレ認証局でのクライアント証明書の作り方(sha256)
  • オレオレ認証局でクライアント認証 ～ ウェブの Basic 認証をリプレース
  • クライアント証明書によるアクセス制限

• （方針）クライアント証明書については、公式サーバー証明書とは別にオレオレ認証局で作り Apache2 に組み込んで動作確認する
  • この考え方（＝サーバー証明書とクライアント証明書は別の認証局を使う）で正しいことを CyberTrust に確認した。

設定†

ベースとなる openssl.cnf 雛形の確認†

munakata@mvc:/etc/ssl/officialCL$ sudo find / -name openssl.cnf -print
/usr/lib/ssl/openssl.cnf
/etc/ssl/openssl.cnf
/snap/core/9804/etc/ssl/openssl.cnf
/snap/core/9804/usr/lib/ssl/openssl.cnf
/snap/core/9993/etc/ssl/openssl.cnf
/snap/core/9993/usr/lib/ssl/openssl.cnf
/snap/core18/1880/etc/ssl/openssl.cnf
/snap/core18/1880/usr/lib/ssl/openssl.cnf
/snap/core18/1885/etc/ssl/openssl.cnf
/snap/core18/1885/usr/lib/ssl/openssl.cnf

munakata@mvc:/etc/ssl/officialCL$ sudo diff /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf
munakata@mvc: （空白 = 差分なし）

• なので /etc/ssl/opessl.cnf &ref(): File not found: "openssl.cnf" at page "HomeServer25B"; をマスター雛形とする

作業ディレクトリー = /etc/ssl/unoffical_for_CL とする†

自己認証局の再作成†

• 設定ファイルの編集
  • /etc/ssl/openssl.cnf をコピーして openssl-privateCA.cnf にリネーム
  • openssl-privateCA.cnf の編集（3箇所）
  • 作業ディレクトリー下に demoCA ディレクトリーを作成（openssl.cnf に合わせる）

    munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA

  • 作業経過

    munakata@mvc:/etc/ssl/unofficial_for_CL$ diff openssl-privateCA.cnf ../openssl.cnf
    73c73
    < default_days	= 3650			# how long to certify for
    ---
    > default_days	= 365			# how long to certify for
    170c170
    < basicConstraints=CA:TRUE
    ---
    > basicConstraints=CA:FALSE
    177d176
    < nsCertType			= sslCA,emailCA
    190d188
    < keyUsage = cRLSign,keyCertSign

• 自己認証局の秘密鍵 (private_ca.key) を作成
  • パスフレーズは magumaguking
  • genrsa は -config の指定を受け付けないので参考手順から削除

    munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl genrsa -des3 -out ./private_ca.key 2048
    Generating RSA private key, 2048 bit long modulus (2 primes)
    ...+++++
    ...............+++++
    e is 65537 (0x010001)
    Enter pass phrase for ./private_ca.key: <-------------------- magumaguking
    Verifying - Enter pass phrase for ./private_ca.key:

• 自己認証局の証明書 (privateCA.crt) を作成
  • sudo の単純実行ではエラーになるので sudo sh -c "コマンド" 形式で実行 する（変更点）

    munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "openssl req -new -x509 -days 3650 -sha256 -key ./private_ca.key -out ./private_ca.crt -config openssl-privateCA.cnf"
    Enter pass phrase for ./private_ca.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:JP
    State or Province Name (full name) [Some-State]:Kanagawa
    Locality Name (eg, city) []:Yokohama
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
    Organizational Unit Name (eg, section) []:Admin
    Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com
    Email Address []:admin@hmuna.com

クライアント証明書の作成†

• 設定ファイルの編集

  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../openssl.cnf openssl-client.cnf
  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo vi openssl-client.cnf 
  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo diff ../openssl.cnf ./openssl-client.cnf
  73c73
  < default_days	= 365			# how long to certify for
  ---
  > default_days	= 3650			# how long to certify for
  185c185
  < # nsCertType = client, email, objsign
  ---
  > nsCertType = client, email, objsign

• demoCA の下にサブディレクトリを作成
  • openssl-client.cnf の中で指定されているサブディレクトリを作成（しないとエラーになるので）
  • 定義されているサブディレクトリー

    munakata@mvc:/etc/ssl/unofficial_for_CL$ grep \$dir openssl-client.cnf
    certs		= $dir/certs		# Where the issued certs are kept
    crl_dir		= $dir/crl		# Where the issued crl are kept
    database	= $dir/index.txt	# database index file.
    new_certs_dir	= $dir/newcerts		# default place for new certs.
    certificate	= $dir/cacert.pem 	# The CA certificate
    serial		= $dir/serial 		# The current serial number
    crlnumber	= $dir/crlnumber	# the current crl number
    crl		= $dir/crl.pem 		# The current CRL
    private_key	= $dir/private/cakey.pem# The private key
    RANDFILE	= $dir/private/.rand	# private random number file
    serial		= $dir/tsaserial	# The current serial number (mandatory)
    signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
    certs		= $dir/cacert.pem	# Certificate chain to include in reply
    signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)

• サブディレクトリーの作成

  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/certs
  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/crl
  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/newcerts
  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/private
  
  munakata@mvc:/etc/ssl/unofficial_for_CL$ ls -la demoCA/
  合計 24
  drwxr-xr-x 6 root root 4096 10月  8 13:26 .
  drwxr-xr-x 3 root root 4096 10月  8 13:08 ..
  drwxr-xr-x 2 root root 4096 10月  8 13:25 certs
  drwxr-xr-x 2 root root 4096 10月  8 13:25 crl
  drwxr-xr-x 2 root root 4096 10月  8 13:26 newcerts
  drwxr-xr-x 2 root root 4096 10月  8 13:26 private

• その他ファイルが無いとエラーになるファイルを配置する

  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo touch ./demoCA/index.txt
  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "echo '1000' > ./demoCA/serial"
  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../officialCL/index.txt.attr  <------- これはずるい。前回出来たファイルを活用
  
  munakata@mvc:/etc/ssl/unofficial_for_CL$ cat ../officialCL/index.txt.attr 
  unique_subject = yes

• クラアイント証明書の csr (署名リクエスト) 作成
  • パスフレーズは magu77mocha に変更（短縮）した

    munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl req -new -config ./openssl-client.cnf -sha256 -keyout client.key -out client.csr
    Generating a RSA private key
    ..........................+++++
    ....................................+++++
    writing new private key to 'client.key'
    Enter PEM pass phrase:  <----------- magu77mocha
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:JP
    State or Province Name (full name) [Some-State]:Kanagawa
    Locality Name (eg, city) []:Yokohama
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT
    Organizational Unit Name (eg, section) []:Admin
    Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com
    Email Address []:admin@hmuna.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

• 認証局に署名をもらいクライアント証明書を作成

  munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "openssl ca -config ./openssl-client.cnf -md sha256 -cert ./private_ca.crt -keyfile ./private_ca.key -out client.crt -infiles client.csr"
  Using configuration from ./openssl-client.cnf
  Enter pass phrase for ./private_ca.key:  <---------- magumaguking
  Check that the request matches the signature
  Signature ok
  Certificate Details:
          Serial Number: 4096 (0x1000)
          Validity
              Not Before: Oct  8 04:31:24 2020 GMT
              Not After : Oct  6 04:31:24 2030 GMT
          Subject:
              countryName               = JP
              stateOrProvinceName       = Kanagawa
              organizationName          = IT
              organizationalUnitName    = Admin
              commonName                = kgb.hmuna.com
              emailAddress              = admin@hmuna.com
          X509v3 extensions:
              X509v3 Basic Constraints: 
                  CA:FALSE
              Netscape Cert Type: 
                  SSL Client, S/MIME, Object Signing
              Netscape Comment: 
                  OpenSSL Generated Certificate
              X509v3 Subject Key Identifier: 
                  70:10:87:5E:93:8B:42:77:BD:FE:B2:CB:B1:2E:A4:54:78:BC:ED:0A
              X509v3 Authority Key Identifier: 
                  keyid:DC:46:2F:B4:1C:52:B9:F8:C2:E9:4A:F6:A6:8B:F0:53:B8:E8:C3:C2 
  
  Certificate is to be certified until Oct  6 04:31:24 2030 GMT (3650 days)
  Sign the certificate? [y/n]:y
   
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated

• 端末にインストールするための pkcs12 形式のクライアント証明書を作成
  • インストールパスワードは nanamochahiko

    munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl pkcs12 -export -in client.crt -inkey client.key -out hmuna_kgb.p12
    Enter pass phrase for client.key:  <-------- magu77mocha
    Enter Export Password:  <----------- nanamochahiko
    Verifying - Enter Export Password:                                    

作業完了時点のファイルの配置†

• CL.tgz

  munakata@mvc:/etc/ssl/unofficial_for_CL$ tree
  .
  ├── client.crt  <-------- クライアント証明書の証明書
  ├── client.csr  <-------- クラアイント証明書の署名リクエスト
  ├── client.key  <-------- クラアイント証明書の秘密鍵
  ├── demoCA
  │   ├── certs
  │   ├── crl
  │   ├── index.txt
  │   ├── index.txt.attr
  │   ├── index.txt.attr.old
  │   ├── index.txt.old
  │   ├── newcerts
  │   │   └── 1000.pem
  │   ├── private
  │   ├── serial
  │   └── serial.old
  ├── hmuna_kgb.p12　<--------- クライアント証明書配布ファイル
  ├── openssl-client.cnf　<----- openssl 設定ファイル（自己認証局）
  ├── openssl-privateCA.cnf <--- openssl 設定ファイル（クライアント証明書）
  ├── private_ca.crt  <-------- 自己認証局の証明書
  └── private_ca.key  <-------- 自己認証局の秘密鍵
  
  5 directories, 15 files

配布用クライアント証明書†

• &ref(): File not found: "hmuna_kgb.p12" at page "HomeServer25B";
  • パスワード = nanamochahiko

それでもクライアント証明書によるログインが出来ない。　が、状況は変化しているかも†

• 証明書自体は正しく評価され leaving socache_shmcb_store successfully となっている
• しかし require valid-user 条件が満たせずログインパスワードを要求してきているようだ
• クライアント証明書で認証する条件をどう書く？
  • &ref(): File not found: "debug_20201008_001.txt" at page "HomeServer25B";

    1: [pid 29512]           [client 118.238.235.109:59972] AH01964: Connection to child 3 established (server kgb.hmuna.com:443)
    2: [pid 29514]           [client 118.238.235.109:59970] AH01964: Connection to child 2 established (server kgb.hmuna.com:443)
    3: [ssl:debug]           [pid 29514] ssl_engine_kernel.c(2317): [client 118.238.235.109:59970] AH02043: SSL virtual host for servername kgb.hmuna.com found
    4: [ssl:debug]           [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found
    5: [ssl:debug]           [pid 29514] ssl_engine_kernel.c(2317): [client 118.238.235.109:59970] AH02043: SSL virtual host for servername kgb.hmuna.com found
    6: [ssl:debug]           [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found
    7: [core:debug]          [pid 29514] protocol.c(2257):          [client 118.238.235.109:59970] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com
    8: [core:debug]          [pid 29512] protocol.c(2257):          [client 118.238.235.109:59972] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com
    9: [ssl:debug]           [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    10:[ssl:debug]           [pid 29512] ssl_engine_kernel.c(383):  [client 118.238.235.109:59972] AH02034: Initial (No.1) HTTPS request received for child 3 (server kgb.hmuna.com:443)
    11:[ssl:debug]           [pid 29514] ssl_engine_kernel.c(2233): [client 118.238.235.109:59970] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    12:[ssl:debug]           [pid 29512] ssl_engine_kernel.c(746):  [client 118.238.235.109:59972] AH02255: Changed client verification type will force renegotiation
    13:[ssl:info]            [pid 29512]                            [client 118.238.235.109:59972] AH02221: Requesting connection re-negotiation
    14:[ssl:debug]           [pid 29512] ssl_engine_kernel.c(977):  [client 118.238.235.109:59972] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
    15:[ssl:debug]           [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    16:[ssl:info]            [pid 29512]                            [client 118.238.235.109:59972] AH02226: Awaiting re-negotiation handshake
    17:[ssl:debug]           [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found
    18:[ssl:debug]           [pid 29512] ssl_engine_kernel.c(1751): [client 118.238.235.109:59972] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 5D71917FDAEE249332210B35B4C0343E520A2DFD / notbefore: Oct  8 03:27:31 2020 GMT / notafter: Oct  6 03:27:31 2030 GMT]
    19:[ssl:debug]           [pid 29512] ssl_engine_kernel.c(1751): [client 118.238.235.109:59972] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct  8 04:31:24 2020 GMT / notafter: Oct  6 04:31:24 2030 GMT]
    20:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x7b -> subcache 27)
    21:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
    22:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1221
    23:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(516): AH00834: &color(red){leaving socache_shmcb_store successfully};
    24:[ssl:debug]           [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    25:[authz_core:debug]    [pid 29512] mod_authz_core.c(809):     [client 118.238.235.109:59972] AH01626: authorization result of Require ip 172.0.0.1: denied
    26:[authz_core:debug]    [pid 29512] mod_authz_core.c(809):     [client 118.238.235.109:59972] AH01626: authorization result of Require ip 192.168.1: denied
    27:[authz_core:debug]    [pid 29512] mod_authz_core.c(809):     [client 118.238.235.109:59972] AH01626: authorization result of Require not env force_drop: neutral
    28:[authz_core:debug]    [pid 29512] mod_authz_core.c(809):     [client 118.238.235.109:59972] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
    29:[authz_core:debug]    [pid 29512] mod_authz_core.c(809):     [client 118.238.235.109:59972] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)

成功†

Apache2 デレクティブ Require ssl-verify-client†

• 上記ログでクライアント証明書はパスしているが valid-user 条件を満たさないという理由でログインが却下されていた
• Apache2 directive を再確認したところ Require ssl-verify-client を見つけた
• &ref(): File not found: "verifyCL.jpg" at page "HomeServer25B";

成功時のログ :†

• authorization result of Require ssl-verify-client : granted
• authorization result of <RequireAny>: granted
• &ref(): File not found: "cl_pass.txt" at page "HomeServer25B";

  1  [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [client 118.238.235.109:40846] AH02043: SSL virtual host for servername kgb.hmuna.com found
  2  [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [client 118.238.235.109:40846] AH02043: SSL virtual host for servername kgb.hmuna.com found
  3  [core:debug] [pid 19595] protocol.c(2257): [client 118.238.235.109:40846] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com
  4  [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [client 118.238.235.109:40846] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 5D71917FDAEE249332210B35B4C0343E520A2DFD / notbefore: Oct  8 03:27:31 2020 GMT / notafter: Oct  6 03:27:31 2030 GMT]
  5  [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [client 118.238.235.109:40846] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct  8 04:31:24 2020 GMT / notafter: Oct  6 04:31:24 2030 GMT]
  6  [ssl:debug] [pid 19595] ssl_engine_kernel.c(2233): [client 118.238.235.109:40846] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
  7  [ssl:debug] [pid 19595] ssl_engine_kernel.c(383): [client 118.238.235.109:40846] AH02034: Initial (No.1) HTTPS request received for child 2 (server kgb.hmuna.com:443)
  8  [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied
  9  [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied
  10 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted
  11 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted
  12 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied
  13 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied
  14 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted
  15 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted
  16 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied
  17 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied
  18 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted
  19 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted
  20 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied
  21 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied
  22 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted
  23 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted
  24 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied
  25 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied
  26 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted
  27 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 

Apache2 設定ファイル†

• &ref(): File not found: "kgb.hmuna.com.conf" at page "HomeServer25B";
• クライアント認証関連部分抽出

  #-------------------------------------------------------------------------------
  #            kgb.hmuna.com (SSL)
  #-------------------------------------------------------------------------------
  <VirtualHost *:443>
  	ServerName kgb.hmuna.com
  	ServerAdmin server-admin@hmuna.com
  	DocumentRoot /mnt/raid_vol/html/pukiwiki
  
  	# クライアント証明書
  	SSLCACertificateFile   /etc/ssl/unofficial_for_CL/private_ca.crt
  	SSLVerifyDepth         1
  	SSLVerifyClient        optional
  
  	<Directory /mnt/raid_vol/html/pukiwiki>
  		<RequireAny>
  			# ローカルネットからはパスワードなしアクセスを許可
  			Require ip 172.0.0.1
  			Require ip 192.168.1
  
  			# クライアント証明書が確認できた場合にはアクセス許可
  			Require ssl-verify-client
  
  			# それ以外は Google Authentificator を利用
  			<RequireAll>
  				Require not env force_drop
  				AuthType Basic
  				AuthName "Enter OTP password"
  				AuthBasicProvider OTP
  				Require valid-user
  				OTPAuthUsersFile /mnt/raid_vol/html/otp/users
  				OTPAuthMaxLinger 3600
  				OTPAuthMaxOTPFailure 200
  				OTPAuthLogoutOnIPChange On
  				OTPAuthPINAuthProvider file
  			</RequireAll>
  		</RequireAny>
  	</Directory>

     

Site admin: munakata

PukiWiki 1.5.4 © 2001-2022 PukiWiki Development Team. Powered by PHP 8.3.6. HTML convert time: 0.005 sec.