You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Evans <te...@googlemail.com> on 2012/01/04 15:49:05 UTC
Re: [users@httpd] selectively disclaim on SSL client-auth for some directories
On Thu, Dec 29, 2011 at 2:23 PM, Christoph Anton Mitterer
<ca...@scientia.net> wrote:
> Hi.
>
> I wondered whether the following is somehow possible (I guess it's not).
>
> I have a SSL vhost,... and I'd like to require SSL client cert
> authentication _per default_ ... but selectively being able to not
> demand it for some directories/files/locations.
>
It is possible, for a given definition of possible. The way to go
about it is to make client certificates optional, and then in areas
that are not for people without certificates make them only available
if the client certificates validated.
Eg on my SSL vhosts protected by client certs, I want the page that
tells people to get lost if they don't have one to be viewable by
them:
SSLVerifyClient optional
ErrorDocument 403 /errors/certneeded.html
Alias /errors /usr/local/etc/apache22/errors
<LocationMatch ^(?!/errors/)>
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
</LocationMatch>
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org