httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Browder <tom.brow...@gmail.com>
Subject Re: [users@httpd] SSL Client Certificates and CGI
Date Mon, 01 Oct 2012 13:17:21 GMT
On Mon, Oct 1, 2012 at 7:54 AM, Mark Montague <mark@catseye.org> wrote:
>> On Sun, Sep 30, 2012 at 7:44 PM, Mark Montague <mark@catseye.org> wrote:
>>> On September 30, 2012 19:45 , Tom Browder <tom.browder@gmail.com> wrote:
>>>>
>>>> Does anyone have a pointer to help on restricting a directory to
>>>> access only with valid SSL Client Certificates and how to work CGI
>>>> scripts to respect that restriction?
...
> My assumption was that you wanted to allow the CGI to be invoked for
> requests from web browsers that did not present client certificates, but
> then wanted to restrict what the CGI could do.
> But if you have SSL related environment variables set, then this means that
> a client certificate was presented.  Instead of changing the CGI to check
> for this, why not change the web server configuration to require the
> certificate in all cases? ("SSLVerifyClient require").  Then the SSL
> environment variables will always be set, and the CGI will never have to
> check them.

Mark, what I have is an SSL only site but with most of it publicly accessible.

I do want to check SSL envvars regardless so I've found I have to use
this directive in the general server context OUTSIDE the restricted
directory:

  SSLVerifyClient optional

Inside the restricted area I have:

  SSLVerifyClient require

The reason I do that is to log access by my clients even though they
don't attempt to  enter the restricted area.

I have found that the configuration doesn't restrict CGI  programs at
all as I have them placed, but I suspect (but haven't tested) that
they wouldn't work if placed inside the restricted area without the
user having a valid SSL client certificate.

Thanks for your attention to this area which is critical to me for my
site concept.

Best,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message