httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <mar...@apache.org>
Subject Re: [PATCH] ssl_ext_lookup #2
Date Tue, 20 Sep 2005 15:32:32 GMT
On Tue, Sep 20, 2005 at 12:12:53PM +0100, Joe Orton wrote:
> > 
> > I haven't traced it: why is match_headers too early? 
> 
> match_headers is a header_parser hook, and header_parser hooks run 
> before auth hooks in request processing; per-dir SSL negotiation is an 
> auth hook.
> 
> [...]
> It has everything to do with mod_setenvif.  If this were e.g. a 
> mod_rewrite extension instead it would work correctly for per-dir rules 
> since mod_rewrite per-dir rules are processed in a fixup hook - *after* 
> the auth hooks.

Isn't that exactly what we wanted (and why it also works for me)?
  "header_parser hooks run before auth hooks processing"
So match_headers() gets called and sets the environment variable:

  SetEnvIf SSL_PeerExtList("1.3.6.1.4.1.18060.1") \
          "(committers|administrators)" \
          ThisUserHasAValidCert=$1

Later on, you can control access (in dir context, if desired) by

  allow from env=ThisUserHasAValidCert

Or, if you want to do it without the (IMHO more general) environment
method, use mod_ssl configuration only;

  SSLRequire "administrators"  in PeerExtList("1.3.6.1.4.1.18060.1") \
          || "committers"      in PeerExtList("1.3.6.1.4.1.18060.1")

and that can also be put into directory context and has been tested
to work.

   Martin
-- 
<Martin.Kraemer@Fujitsu-Siemens.com>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-48332 | 81730  Munich,  Germany

Mime
View raw message