http://www.apache-ssl.org/#FAQ /usr/sbin/ssl-certificate --force ===================== create a test certificate openssl req -new > new.cert.csr --------------------- remove the passphrase from the key (optional): openssl rsa -in privkey.pem -out new.cert.key --------------------- convert request into signed cert: openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 --------------------- Access Control The SSLRequireSSL directive enables you to force clients to access the server using SSL. The SSLRequire directive enables you to specify a set of rules that have to be met before the client is allowed access. SSLRequire syntax can be very complex, but itallows an incredible amount of flexibility. Listing 17.1 shows a sample configuration from the mod_ssl documentation that restricts access based on the client certificate and the network the request came from. Access will be granted if one of the following is met: * The SSL connection does not use an export (weak) cipher or a NULL cipher, the certificate has been issued by a particular CA and for a particular group, and the access takes place during workdays (Monday to Friday) and working hours (8:00 a.m. to 8:00 p.m.). * The client comes from an internal, trusted network. You can check the documentation for SSLRequire for a complete syntax reference. Listing 17.1 SSLRequire Example SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ Reverse Proxy with SSL Although at the time this book was written the SSL reverse proxy functionality was not included in mod_ssl for Apache 2.0, it is likely to be included in the future. That functionality enables you to encrypt the reverse proxy connection to backend servers and to perform client and server certificate authentication on that connection. The related directives are SSLProxyMachineCertificatePath, SSLProxyMachineCertificateFile, SSLProxyVerify, SSLProxyVerifyDepth, SSLProxyCACertificatePath, SSLProxyEngine, and SSLProxyCACertificateFile. Their syntax is similar to their regular counterparts. You can find more information about the Apache reverse proxy in Hour 15.