Feature #2245

SSL : authenticate only clients for a particular URL

Added by ohe almost 8 years ago. Updated about 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


This kind of configuration does not work.

$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = "/tmp/pub.pem" = "/tmp/ca.pem" 
    ssl.verifyclient.activate = "disable" 
    $HTTP["url"] =~ "^/ssl-authentication-required/" {
        ssl.verifyclient.activate = "enable" 
        ssl.verifyclient.depth = 2

There's no way, today to authenticate, in HTTPS, users only for a list of urls.

Apache, with mod_ssl, has this option (see :

Is there a way to have this feature in lighttpd?

Associated revisions

Revision 20946a8b (diff)
Added by gstrauss over 1 year ago

[mod_openssl] allow ssl.verifyclient on url paths (fixes #2245)

re-patch mod_openssl config within the request so that per-request
settings can be applied, such as activating client cert verification
for specific URL paths.

(This can be used in conjunction with auth.backend = "extern"
to require auth to occur)

"SSL : authenticate only clients for a particular URL"



Updated by ohe almost 8 years ago

See also comments on issue 1288 :


Updated by gstrauss about 2 years ago

  • Category changed from core to TLS

Updated by gstrauss over 1 year ago

  • Category changed from TLS to mod_auth

It is not possible to do this in lighttpd at the moment since TLS/SSL negotiation and client cert verification currently occurs prior to reading the request (over the encrypted channel just negotiated). It should be possible to write a mod_authn_<backend>.c to plug into mod_auth to be able to provide this functionality.

For browsers using TLS SNI, it might already be possible to do this using $HTTP["host"] if you set up a vhost for which is separate from the rest of the site. could issue a secure, encrypted cookie after login which permits access to other sites without requiring client cert verification, though TLS connections to those other sites are still recommended.


Updated by gstrauss over 1 year ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.45

Updated by gstrauss over 1 year ago

  • Target version changed from 1.4.45 to 1.4.46

Updated by gstrauss about 1 year ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom