Edgewall Software

Using SSL Client Certificates to log into Trac

Set up your SSL PKI

I will not explain in detail how to set up SSL for Apache. There are a lot of good step-by-step guides out there that can help you in this:

I'll assume that you have the following by now:

  • a certificate for your Trac web server
  • client certificates for your users (already installed in their browsers)

How to configure mod_ssl

Here are the most important apache directives.

Server configuration (httpd.conf):

<IfModule mod_ssl.c>
...
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /your/root/certificate.pem
...
</IfModule>

Virtual host configuration:

<VirtualHost xxx.xxx.xxx.xxx:443>
  ...
  SSLEngine on
  ...

  <Directory />
    # We have to require SSL for the whole vhost to enforce
    # client certificate authentication.
    SSLRequireSSL
    ...
  </Directory>

  <Location /trac>
    # Here comes your trac CGI/FCGI/mod_python configuration
    ...
  </Location>

  <Location /login>
    # We do NOT use basic authentication here. Rather than setting REMOTE_USER
    # through apache's HTTP authentication mechanisms we'll set it directly as
    # the client certificate's common name.
    SSLUserName SSL_CLIENT_S_DN_CN
  </Location>

  ...
</VirtualHost>
Last modified 9 years ago Last modified on Sep 7, 2008, 6:52:22 AM
Note: See TracWiki for help on using the wiki.