Project

General

Profile

Feature #2415

[patch] Allow $HTTP["remoteuser"] to be used for certificate authorization

Added by zi over 4 years ago. Updated 3 months ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
mod_auth
Target version:
Start date:
2012-04-22
Due date:
% Done:

0%

Estimated time:
0.00 h
Missing in 1.5.x:
No

Description

At the moment, it is possible to require client certificates from a trusted CA. However, there appears to be no way to require a specific certificate for authorization control.

With the attached patch, it is possible to use $HTTP["remoteuser"] in logic decisions by setting:
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.exportcert = "enable"

Example syntax could be:
$HTTP["url"] =~ "^/cert_required" {
$HTTP["remoteuser"] !~ "my cert CN" {
url.access-deny = ( "" )
}
}

lighttpd-1.4.30-remoteuser.diff View (2.92 KB) zi, 2012-04-22 19:39

History

#1 Updated by gstrauss 7 months ago

  • Category set to mod_auth

#2 Updated by gstrauss 3 months ago

  • Status changed from New to Invalid

I believe what you are trying to do is already possible with mod_auth

auth.require = ("" =>
                 (
                    method = "extern",
                    realm = "",
                    require = "user=my cert CN" 
                 )
               )

TLS SNI (if sent by client) occurs early in the connection, prior to when mod_auth runs for the request.

Also available in: Atom