httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] selectively disclaim on SSL client-auth for some directories
Date Wed, 04 Jan 2012 14:49:05 GMT
On Thu, Dec 29, 2011 at 2:23 PM, Christoph Anton Mitterer
<calestyo@scientia.net> wrote:
> Hi.
>
> I wondered whether the following is somehow possible (I guess it's not).
>
> I have a SSL vhost,... and I'd like to require SSL client cert
> authentication _per default_ ... but selectively being able to not
> demand it for some directories/files/locations.
>

It is possible, for a given definition of possible. The way to go
about it is to make client certificates optional, and then in areas
that are not for people without certificates make them only available
if the client certificates validated.

Eg on my SSL vhosts protected by client certs, I want the page that
tells people to get lost if they don't have one to be viewable by
them:

    SSLVerifyClient optional

    ErrorDocument 403 /errors/certneeded.html
    Alias /errors /usr/local/etc/apache22/errors

    <LocationMatch ^(?!/errors/)>
        SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
    </LocationMatch>

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message