Afin d'utiliser l'authentification basée sur le certificat à utiliser pour votre client, configurez d'abord configurer un référentiel de serveur de dépôt de configuration Apache générique tel que décrit dans Configuration Apache du serveur de dépôt. Ajoutez ensuire les éléments suivants à la fin de votre fichier httpd.conf :
# Let Apache listen on the standard HTTPS port Listen 443 # VirtualHost configuration for request on port 443 <VirtualHost 0.0.0.0:443> # DNS domain name of the server, needs to match your server certificate ServerName pkg-sec.example.com # enable SSL SSLEngine On # Location of the server certificate and key. # You either have to get one from a certificate signing authority like # VeriSign or create your own CA for testing purposes (see "Creating a # Self-Signed CA for Testing Purposes") SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key # Intermediate CA certificate file. Required if your server certificate # is not signed by a top-level CA directly but an intermediate authority # Comment out this section if you are using a test certificate or your # server certificate doesn't require it. # For more info: # http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile SSLCertificateChainFile /path/to/ca_intermediate.pem # CA certs for client verification. # This is where the CA certificate created in step 3 needs to go. # If you have multiple CAs for multiple repos, just concatenate the # CA certificate files SSLCACertificateFile /path/to/ca_cert.pem # If the client presents a certificate, verify it here. If it doesn't, # ignore. # This is required to be able to use client-certificate based and # anonymous SSL traffic on the same VirtualHost. # This statement could also go into the <Location> tags but putting it # here avoids re-negotiation which can cause security issues with older # servers/clients: # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555 SSLVerifyClient optional <Location /repo> SSLVerifyDepth 1 # This is the SSL requirement for this location. # Requirements can be made based on various information encoded # in the certificate. Two variants are the most useful for use # with IPS repositories: # a) SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/reponame/ ) # only allow access if the CN in the client certificate matches # "reponame", useful for different certificates for different # repos # # b) SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) # grant access if clients certificate is signed by one of the # CAs specified in SSLCACertificateFile SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" ) # proxy request to depot running at internal.example.com:12345 ProxyPass http://internal.example.com:12345 nocanon max=500 </Location> </VirtualHost>