Feature #2245

SSL : authenticate only clients for a particular URL

Added by ohe over 7 years ago. Updated 9 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


This kind of configuration does not work.

$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = "/tmp/pub.pem" = "/tmp/ca.pem" 
    ssl.verifyclient.activate = "disable" 
    $HTTP["url"] =~ "^/ssl-authentication-required/" {
        ssl.verifyclient.activate = "enable" 
        ssl.verifyclient.depth = 2

There's no way, today to authenticate, in HTTPS, users only for a list of urls.

Apache, with mod_ssl, has this option (see :

Is there a way to have this feature in lighttpd?

Associated revisions

Revision 20946a8b (diff)
Added by gstrauss 10 months ago

[mod_openssl] allow ssl.verifyclient on url paths (fixes #2245)

re-patch mod_openssl config within the request so that per-request
settings can be applied, such as activating client cert verification
for specific URL paths.

(This can be used in conjunction with auth.backend = "extern"
to require auth to occur)

"SSL : authenticate only clients for a particular URL"



Updated by ohe over 7 years ago

See also comments on issue 1288 :


Updated by gstrauss over 1 year ago

  • Category changed from core to TLS

Updated by gstrauss about 1 year ago

  • Category changed from TLS to mod_auth

It is not possible to do this in lighttpd at the moment since TLS/SSL negotiation and client cert verification currently occurs prior to reading the request (over the encrypted channel just negotiated). It should be possible to write a mod_authn_<backend>.c to plug into mod_auth to be able to provide this functionality.

For browsers using TLS SNI, it might already be possible to do this using $HTTP["host"] if you set up a vhost for which is separate from the rest of the site. could issue a secure, encrypted cookie after login which permits access to other sites without requiring client cert verification, though TLS connections to those other sites are still recommended.


Updated by gstrauss 11 months ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.45

Updated by gstrauss 10 months ago

  • Target version changed from 1.4.45 to 1.4.46

Updated by gstrauss 9 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom