| | 1 | = Using SSL Client Certificates to log into Trac = |
| | 2 | |
| | 3 | == Set up your SSL PKI == |
| | 4 | I will not explain in detail how to set up SSL for Apache. There are a lot of good step-by-step guides out there that can help you in this: |
| | 5 | * In my opinion the best guide is this one: http://www.securityfocus.com/infocus/1818 |
| | 6 | * The official apache mod_ssl documentation can be found here: http://httpd.apache.org/docs/2.2/ssl/ |
| | 7 | |
| | 8 | I'll assume that you have the following by now: |
| | 9 | * a certificate for your Trac web server |
| | 10 | * client certificates for your users (already installed in their browsers) |
| | 11 | |
| | 12 | == How to configure mod_ssl == |
| | 13 | Here are the most important apache directives. |
| | 14 | |
| | 15 | Server configuration (httpd.conf): |
| | 16 | <IfModule mod_ssl.c> |
| | 17 | ... |
| | 18 | SSLVerifyClient require |
| | 19 | SSLVerifyDepth 1 |
| | 20 | SSLCACertificateFile /your/root/certificate.pem |
| | 21 | ... |
| | 22 | </IfModule> |
| | 23 | |
| | 24 | Virtual host configuration: |
| | 25 | ... |
| | 26 | SSLEngine on |
| | 27 | |
| | 28 | <Location /trac> |
| | 29 | ... |
| | 30 | SSLRequireSSL |
| | 31 | ... |
| | 32 | </Location> |
| | 33 | |
| | 34 | <Location "/login"> |
| | 35 | # Rather than setting REMOTE_USER through basic authentication |
| | 36 | # we'll set it directly as the client's certificate's common name. |
| | 37 | SSLUserName SSL_CLIENT_S_DN_CN |
| | 38 | </Location> |
