You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2016/05/11 12:28:05 UTC
[users@httpd] Re: Want friendly error message for failed attempt to access a
restricted directory
On Wed, May 11, 2016 at 7:19 AM, Tom Browder <to...@gmail.com> wrote:
> I am running Apache 2.4.18 and have one site (https://usafa-1965.org)
> that requires a client certificate to access a restricted directory
> ("Classmates
> Only"). How can I return a friendlier message than, e.g., Chrome
> emits when a user without a valid certificate attempts to access the
> restricted directory?
...
> I think I can do something like this:
>
> <Directory ~ ".*/restricted">
> SSLOptions +StrictRequire
> SSLVerifyClient require
> # do NOT allow dir listings
> Options -Indexes
> # error 403 is "Forbidden"
> ErrorDocument 403 "Sorry, you must have a valid client
> certificate.\nContact your CS Rep to get one."
> </Directory>
That doesn't work, so maybe I have the wrong error code. How can I
see what error code is actually being returned?
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Want friendly error message for failed attempt
to access a restricted directory
Posted by Tom Browder <to...@gmail.com>.
On Wed, May 11, 2016 at 8:50 AM, Marat Khalili <mk...@rqc.ru> wrote:
> On 11/05/16 16:35, Tom Browder wrote:
>>
>> Is there any way via CGI to check for a valid client cert? If so, I
>> could interject another script to do that at the Enter button.
>
> Client verification state should be visible to a CGI script via SSL_*
> environment variables. SSL_CLIENT_VERIFY looks promising.
Ah! Thanks, Marat--I'll try that and report back!
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Want friendly error message for failed attempt
to access a restricted directory
Posted by Marat Khalili <mk...@rqc.ru>.
On 11/05/16 16:35, Tom Browder wrote:
> Is there any way via CGI to check for a valid client cert? If so, I
> could interject another script to do that at the Enter button.
Client verification state should be visible to a CGI script via SSL_*
environment variables. SSL_CLIENT_VERIFY looks promising.
--
With Best Regards,
Marat Khalili
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Want friendly error message for failed attempt to access a
restricted directory
Posted by Tom Browder <to...@gmail.com>.
On Wednesday, May 11, 2016, Marat Khalili <mk...@rqc.ru> wrote:
> There's no code at all. HTTP connection is not even established. I don't think it can be easily solved. You have to ALLOW connections from clients without valid certificate in order to send them your custom message, and resulting reduction of security probably does not worth it.
Actually I do allow them to the site:
https://usafa-1965.org
and they can get to the restricted area entry page:
https://usafa-1965.org/login/index.html
but they presently get an error when they click on the "Enter
Restricted Area" button which calls a CGI script in the restricted
area.
Is there any way via CGI to check for a valid client cert? If so, I
could interject another script to do that at the Enter button.
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Want friendly error message for failed attempt
to access a restricted directory
Posted by Marat Khalili <mk...@rqc.ru>.
There's no code at all. HTTP connection is not even established. I don't
think it can be easily solved. You have to ALLOW connections from
clients without valid certificate in order to send them your custom
message, and resulting reduction of security probably does not worth it.
--
With Best Regards,
Marat Khalili
On 11/05/16 15:28, Tom Browder wrote:
> On Wed, May 11, 2016 at 7:19 AM, Tom Browder <to...@gmail.com> wrote:
>> I am running Apache 2.4.18 and have one site (https://usafa-1965.org)
>> that requires a client certificate to access a restricted directory
>> ("Classmates
>> Only"). How can I return a friendlier message than, e.g., Chrome
>> emits when a user without a valid certificate attempts to access the
>> restricted directory?
> ...
>> I think I can do something like this:
>>
>> <Directory ~ ".*/restricted">
>> SSLOptions +StrictRequire
>> SSLVerifyClient require
>> # do NOT allow dir listings
>> Options -Indexes
>> # error 403 is "Forbidden"
>> ErrorDocument 403 "Sorry, you must have a valid client
>> certificate.\nContact your CS Rep to get one."
>> </Directory>
> That doesn't work, so maybe I have the wrong error code. How can I
> see what error code is actually being returned?
>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>