Project

General

Profile

Feature #2245

SSL : authenticate only clients for a particular URL

Added by ohe over 7 years ago. Updated 9 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_auth
Target version:
Start date:
2010-08-11
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

This kind of configuration does not work.

$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = "/tmp/pub.pem" 
    ssl.ca-file = "/tmp/ca.pem" 
    ssl.verifyclient.activate = "disable" 
    $HTTP["url"] =~ "^/ssl-authentication-required/" {
        ssl.verifyclient.activate = "enable" 
        ssl.verifyclient.depth = 2
    }
}

There's no way, today to authenticate, in HTTPS, users only for a list of urls.

Apache, with mod_ssl, has this option (see : http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular)

Is there a way to have this feature in lighttpd?

Associated revisions

Revision 20946a8b (diff)
Added by gstrauss 10 months ago

[mod_openssl] allow ssl.verifyclient on url paths (fixes #2245)

re-patch mod_openssl config within the request so that per-request
settings can be applied, such as activating client cert verification
for specific URL paths.

(This can be used in conjunction with auth.backend = "extern"
to require auth to occur)

x-ref:
"SSL : authenticate only clients for a particular URL"
https://redmine.lighttpd.net/issues/2245

History

#1

Updated by ohe over 7 years ago

See also comments on issue 1288 : http://redmine.lighttpd.net/issues/1288#note-11

#2

Updated by gstrauss over 1 year ago

  • Category changed from core to TLS
#3

Updated by gstrauss about 1 year ago

  • Category changed from TLS to mod_auth

It is not possible to do this in lighttpd at the moment since TLS/SSL negotiation and client cert verification currently occurs prior to reading the request (over the encrypted channel just negotiated). It should be possible to write a mod_authn_<backend>.c to plug into mod_auth to be able to provide this functionality.

For browsers using TLS SNI, it might already be possible to do this using $HTTP["host"] if you set up a vhost for login.example.com which is separate from the rest of the site. login.example.com could issue a secure, encrypted cookie after login which permits access to other .example.com sites without requiring client cert verification, though TLS connections to those other sites are still recommended.

#4

Updated by gstrauss 11 months ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.45
#5

Updated by gstrauss 10 months ago

  • Target version changed from 1.4.45 to 1.4.46
#6

Updated by gstrauss 9 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom