Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3E487DCA7 for ; Mon, 1 Oct 2012 09:42:37 +0000 (UTC) Received: (qmail 78865 invoked by uid 500); 1 Oct 2012 09:42:34 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 78561 invoked by uid 500); 1 Oct 2012 09:42:29 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 78522 invoked by uid 99); 1 Oct 2012 09:42:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Oct 2012 09:42:27 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of tom.browder@gmail.com designates 209.85.216.45 as permitted sender) Received: from [209.85.216.45] (HELO mail-qa0-f45.google.com) (209.85.216.45) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Oct 2012 09:42:22 +0000 Received: by mail-qa0-f45.google.com with SMTP id s11so449668qaa.18 for ; Mon, 01 Oct 2012 02:42:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=2fkJLB83qHYwB8yTXKjZaE/ReiPKAF65a3nDq4/f094=; b=iJ+TNFNuju7GqgIK2Ir7luvOAg5ZAJIXzKfxiI3efRYAfrqpj6/iInKIvdN4UL0Z57 GgKIkhchKM+t1kFqN3utAIOZfUjSfsCPSrrA7Zon04JKFPvxhqrXphpm/JHvig6TMAIS UnoCE2iDLl0C3O/HVBvqueQjTuEHVIgW5UQGxwff6ov4PSpsuv+3TKnGSP6Z0zBT+ObI mEsteT6ZEOt+8zj90THnY8pRXCF9acVPIiCIyMu9wRddlf7QVigqM8H5WyVTben4FUCy vsuc3zTKnTXqbhPt1TnQbt4qS1jWdJtB/wQPmq/GJmokrRloSCmKcZm4GSiwZUiVXof2 kk1w== Received: by 10.224.78.197 with SMTP id m5mr35948609qak.36.1349084521432; Mon, 01 Oct 2012 02:42:01 -0700 (PDT) MIME-Version: 1.0 Received: by 10.49.82.234 with HTTP; Mon, 1 Oct 2012 02:41:21 -0700 (PDT) In-Reply-To: <5068E767.6030408@catseye.org> References: <5068E767.6030408@catseye.org> From: Tom Browder Date: Mon, 1 Oct 2012 04:41:21 -0500 Message-ID: To: Mark Montague Cc: users@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] SSL Client Certificates and CGI On Sun, Sep 30, 2012 at 7:44 PM, Mark Montague wrote: > On September 30, 2012 19:45 , Tom Browder wrote: >> >> Does anyone have a pointer to help on restricting a directory to >> access only with valid SSL Client Certificates and how to work CGI >> scripts to respect that restriction? ... > So you are allowing requests for the CGI from any web browser, without a > client certificate, but you then want to restrict what the CGI can do when > it is running? > > A CGI won't "respect" web server configuration for what clients can access > what content, because CGIs can't "see" web server configuration. The web > server invokes the CGI, and the CGI can do whatever it wants to do from that > point on. The only restrictions on a running CGI are those imposed by the > operating system. So, Mark, what about something like this: + if the cgi prog: - finds the appropriate SSL cert envvar to be defined - finds that envvar to satisfy apprporiate criteria + then - run to normal completion + otherwise - return not authorized Best, -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org