httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <>
Subject Re: [users@httpd] selectively disclaim on SSL client-auth for some directories
Date Wed, 04 Jan 2012 14:49:05 GMT
On Thu, Dec 29, 2011 at 2:23 PM, Christoph Anton Mitterer
<> wrote:
> Hi.
> I wondered whether the following is somehow possible (I guess it's not).
> I have a SSL vhost,... and I'd like to require SSL client cert
> authentication _per default_ ... but selectively being able to not
> demand it for some directories/files/locations.

It is possible, for a given definition of possible. The way to go
about it is to make client certificates optional, and then in areas
that are not for people without certificates make them only available
if the client certificates validated.

Eg on my SSL vhosts protected by client certs, I want the page that
tells people to get lost if they don't have one to be viewable by

    SSLVerifyClient optional

    ErrorDocument 403 /errors/certneeded.html
    Alias /errors /usr/local/etc/apache22/errors

    <LocationMatch ^(?!/errors/)>
        SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message