Search code examples
apachesslcentoshttp-status-code-403

Apache 2.4 403 errors on SSL-Auth vhost

I've worked with apache 2.2 for ages, and this is the first time I'm using 2.4. Which is giving me an headache.

My boss asked me to set up an SSL Auth system, using our internal CA. Now the problem here is, the vhosts and auth mechanism seems to work, but all URLs within the SSL Auth vhost retun 403 errors. Now I've made sure to add an 'Require all granted' directive to the vhost, and the apache logs aren't throwing any permission errors. So I'm out of my league here.

Maybe someone can see the part I'm missing :)? Configs below: (running apache 2.4 on CentOS 7, SELinux disabled for testing purposes)

conf.d/vhost.conf

    <Directory "/var/www/auth.internal.corp">
                Order allow,deny
                Allow from all
                Require all granted
        </Directory>


<VirtualHost *:443>
        DocumentRoot                    "/var/www/auth.internal.corp"
        ServerAdmin                     [email protected]
        SSLCACertificateFile            /etc/pki/CA/cacert.pem
        SSLCertificateFile              ssl/auth.internal.corp.crt.pem
        SSLCertificateKeyFile           ssl/auth.internal.corp.key.pem
        SSLCARevocationCheck            chain
        SSLCARevocationFile             /etc/pki/CA/crl/crl.pem
        SSLEngine                       on
        SSLStrictSNIVHostCheck          on
        SSLVerifyClient                 require
        SSLVerifyDepth                  5
        ServerName                      auth.internal.corp
        RewriteEngine                   on
        RewriteCond                     %{REMOTE_ADDR} !^127\.0\.0\.1$
        RewriteCond                     ${HTTPS} !=on
        RewriteRule                     . - [F]
        ErrorLog                        logs/auth.error.log
        CustomLog                       logs/auth.access.log common

        <Directory "/var/www/auth.internal.corp/protected">
                Require                 ssl
                Require                 ssl-verify-client
                SSLRequireSSL
                SSLOptions              +FakeBasicAuth +StrictRequire
                SSLRequire              %{SSL_CIPHER_USEKEYSIZE} >= 256
                SSLRequire              %{SSL_CLIENT_S_DN_O} eq "Internal Corp CA" \
                                    and %{SSL_CLIENT_S_DN_OU} eq "Corporate Certification Authority" \
                                    and %{SSL_CLIENT_S_DN_CN} in {"John Doe", "Jane Doe"}
                SSLRenegBufferSize      131072
        </Directory>
</VirtualHost>

/conf/httpd.conf

ServerRoot "/etc/httpd
Listen 80
Listen 443 https
Include conf.modules.d/*.conf
User apache
Group apache"
<Directory />
    AllowOverride none
    Require all denied
</Directory>

<Directory "/var/www">
    AllowOverride None
    Order allow,deny
    Allow from all
    # Allow open access:
    Require all granted
</Directory>

<Directory "/var/www/auth.internal.corp">
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>

<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
IncludeOptional conf.d/*.conf
Solution

  • Found the solution. It was an typo in the Rewrite rule.

     RewriteCond                     ${HTTPS} !=on

    should have been

    RewriteCond                     %{HTTPS} !=on