0

I'd like to serve the same website with different TLS certificate for different ranges of source IP addresses. For instance, on one block, I expect users to connect to browsers where a company's local CA is installed in the client's root trust store. On another block, there will be another group of users who don't have that local CA, so I'd like to present a self-signed cert or one signed by their company's CA. On yet another block will be a M2M connection where simple self-signed cert is all that's needed.

I've read about using ssl_multicert.config in Apache Traffic Server, or using Server Name Indication (SNI), but those all deal with the destination IP (server), not the source IP (client).

I know I could run Apache on a separate port for each certificate and then play with the REDIRECT jump target in iptables. I'm looking for a clean way to do this using just Apache (2.4) configuration options. Anyone know?

Improve this question
11
  • 1
    Related: serverfault.com/questions/296617/…
    – Bob
    Commented Mar 2, 2017 at 22:50
  • What you describe seems like it would be breaking the basic principles of https where a certificate which is signed by a trusted Root CA indicates that the connection being made is actually who they have the certificate to. There is a reason even load balancer work the way they do
    – Ramhound
    Commented Mar 2, 2017 at 23:23
  • @bob, very appropriate related question. Search as I tried, I could not find that one. Since I would not be changing docroots or anything, only specifying a different certificate, I may just need to put the SSLCertificateFile and SSLCertificateKeyFile directives within If, ElseIf, and Else blocks. If someone beats me to testing this and posts the answer if it works, they get the green checkmark!
    – petiepooo
    Commented Mar 2, 2017 at 23:23
  • With SNI turned on you can serve multiple domains from the same IP and the same port with different SSL certificates
    – Alex
    Commented Mar 2, 2017 at 23:26
  • @Ramhound, I would agree with you if we were talking about true CAs and internet IPs/FQDNs. In my case, I'm talking about internal networks with invalid FQDNs on a host that has more than one interface with different RFC1918 IPs. My company's internal CA has no validity within the other network, and vice versa. And the M2M clients have neither of those local root CAs installed.
    – petiepooo
    Commented Mar 2, 2017 at 23:31

1 Answer 1

Reset to default
2

If you would use SNI aware web server then you can implement following logic on the same web server utilizing single IP address for HTTP server with different SSL certificates for each user's group based on their IP address.

Users will be routed to particular web server based on their IP address with help of HAproxy

HAproxy2apache

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .