The following is a test setting to check if lighttpd will autheticate based on an IP address when it is included in certificate subjectAltNames, e.g.
subjectAltNames=IP:192.168.1.20
Config:
$HTTP["host"] == "192.168.1.20" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/Pihole-Home-Lan/private/Pihole-Home-Lan.key-crt.pem"
# ssl.ca-file = "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Pihole-Home-Lan-fullchain.pem"
ssl.ca-file = "/etc/lighttpd/ssl/Pihole-Home-Lan/public/Home-Lan.crt.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
# client side authentification
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.depth = "10"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
## ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
Line from /var/log/lighttpd/access.log when accessing by raw address 192.168.1.20:
1551209819|192.168.1.20|GET / HTTP/1.1|401|351
The browser shows 401 Not authorized. Is it failing SSL or is there another problem?
$SERVER["socket"] == ":443" { ... } (or $SERVER["socket"] == "192.168.1.20:443" { ... }) belongs at the top level in the config. It is a mistake to put $SERVER["socket"] inside other lighttpd config conditions, i.e. it a mistake to put inside $HTTP["host"] == "192.168.1.20" { ... }
TLS is negotiated at the beginning of the socket connection, before the HTTP request is received over an encrypted TLS channel. Since HTTP request Host header has not been received when TLS is negotiated, it is invalid to put $SERVER["socket"] inside any other condition, such as $HTTP["host"]