[Solved] Is to possible use $HTTP["url"] conditional to enable ssl.verifyclient.* option dynamically?
Added by Grundor about 7 years ago
I should enable ssl.verifyclient.* option for a single endpoint of the website, to proceed with certificate login or validation.
But it is not working.
The configuration:
$HTTP["host"] =~ "^(.*\.|)example.com$"{
$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
ssl.disable-client-renegotiation = "disable"
#server.name = "example.com"
ssl.pemfile = "/etc/lighttpd/ssl/example.com.pem"
ssl.ca-file = "/etc/lighttpd/ssl/bundle-ca.pem"
ssl.honor-cipher-order = "enable"
#ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384"
#ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "enable"
ssl.use-sslv3 = "enable"
ssl.read-ahead = "enable"
#ssl.disable-client-renegotiation = "disable"
# It Works
$HTTP["host"] == "ssl.example.com"{
server.name = "ssl.example.com"
#ask for client cert
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.verifyclient.exportcert = "enable"
#ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.depth = 3
}
# It not Works
$HTTP["url"] =~ "/backend/server/auth/ssl" {
#ask for client cert
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "disable"
ssl.verifyclient.exportcert = "enable"
#ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.depth = 10
}
}
}
Is it a bug or a mismatch configuration?
Replies (3)
RE: Is to possible use $HTTP["url"] conditional to enable ssl.verifyclient.* option dynamically? - Added by gstrauss about 7 years ago
Please verify that your browser (or intercepting CDN) is sending SNI. If not sending SNI, then "Host" may be available too late in the processing, after client certificate verification needs to have been configured in order to take place.
Please be careful to configure client certificate verification everywhere it is required. If you only enable it for a specific host, then someone is still able to make a request to the host without sending SNI. Again, this is due to client certificate verification needing to occur prior to reading HTTP request headers.
RE: Is to possible use $HTTP["url"] conditional to enable ssl.verifyclient.* option dynamically? - Added by gstrauss about 7 years ago
I think what you are trying to do is available in lighttpd git master and will be part of the next lighttpd release: lighttpd 1.4.46:
https://redmine.lighttpd.net/issues/2245
https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/20946a8b920edfd2455b667b266b1cfcef3336ac
Please try it out. Feedback appreciated.
RE: [Solved] Is to possible use $HTTP["url"] conditional to enable ssl.verifyclient.* option dynamically? - Added by Grundor about 7 years ago
I think what you are trying to do is available in lighttpd git master and will be part of the next lighttpd release: lighttpd 1.4.46: https://redmine.lighttpd.net/issues/2245 https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/20946a8b920edfd2455b667b266b1cfcef3336ac
That's exactly what I need!