Project

General

Profile

Forums » Help »

Setting up the apache fastcgi server to work with SSL

Added by Georgiy Gluhoedov over 9 years ago

Hi guys. Please tell me how to configure the server in order for it to work on the https protocol.

I run the example auth-ssl and received a message:

Not an SSL session, or no client certificate available. Please read the readme file in examples/feature/client-ssl-auth for more info.

my fastcgi.conf

<IfModule mod_fastcgi.c>
  AddHandler fastcgi-script .fcgi .wt
  FastCgiIpcDir /var/lib/apache2/fastcgi
  FastCgiConfig -idle-timeout 100 -maxClassProcesses 1 -initial-env WT_APP_ROOT=/tmp
</IfModule>

my site.conf

<VirtualHost *:443>
    ServerName domen.ru
    ServerAlias www.domen.ru
    ServerAdmin feedback@domen.ru
    DocumentRoot /var/www/domen
    AddDefaultCharset utf-8
    DirectoryIndex index.wt index.html

    <Directory /var/www/gboost>
            AllowOverride All
        Allow from all
        Options ExecCGI
        </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLProtocol all -SSLv2

    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key

    <FilesMatch "\.(cgi|shtml|phtml|php|wt)$">
            SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
    </FilesMatch>

    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

Replies (3)

RE: Setting up the apache fastcgi server to work with SSL - Added by Wim Dumon over 9 years ago

Hello,

That's an examples of SSL/TLS client authentication. I'm not an apache expert, but from a quick look I don't seem to be seeing anything client certification releated there. What exactly do you want to accomplish? TLS/SSL encryption or user authentication?

Best regards,

Wim.

RE: Setting up the apache fastcgi server to work with SSL - Added by Georgiy Gluhoedov over 9 years ago

Thank you for your answer.

I need to TLS/SSL encryption and user authentication.

RE: Setting up the apache fastcgi server to work with SSL - Added by Wim Dumon over 9 years ago

I really think that your apache configuration is lacking several options related to client certificates. Looking at http://www.garex.net/apache/#CFapache it seems to me that you'll then need to include settings such as:

SSLVerifyClient require
SSLVerifyDepth  2

and then some more options on the paths that you want to protect.

Note that in this use case, apache does the full TLS/SSL level authentication and access control. If this authentication is successful, apache will allow the connection and send the certificate of the authenticated user to Wt, so that you can further use information from the certificate to identify the user (and/or further restrict access based on field values in the certificate).

Without proper apache configuration this cannot work; please refer to apache's documentation to properly configure your web server. If your connection is properly authenticated, Wt should pick up the certificate.

BR,

Wim.

    (1-3/3)