Feature #2436

[mod_auth] Implement the ssl backend/method

Added by KiBi over 3 years ago. Updated about 2 years ago.

Status:FixedStart date:2012-08-14
Priority:NormalDue date:
Assignee:-% Done:


Target version:1.4.33
Missing in 1.5.x:No



please let me quote the commit message, which should say it all:

[mod_auth] Implement the ssl backend/method.

When SSL client certificate verification if activated (even if not
enforced), one can specify a given field of the certificate to be used
as the username, making it possible to set access restrictions based
on that username. Connecting without a certificate means a denied
access to restricted paths (no username).

Configuration example:

    ssl.verifyclient.activate       = "enable" 
    ssl.verifyclient.enforce        = "disable" 
    # more ssl-related settings

    auth.backend = "ssl" 
    auth.backend.ssl.field = "SSL_CLIENT_S_DN_CN" 
    auth.require = (
        "/any-ssl-user" => (
            "require" => "valid-user",
            "method"  => "ssl" 
        "/only-specific-ssl-users" => (
             "require" => "user=james|user=alec",
             "method"  => "ssl" 

Signed-off-by: Cyril Brulebois <kibi@debian.org>

I've tested this successfully on 1.4.28; I've also tried to make sure misconfigurations are detected properly.

The patch applied cleanly on 1.4.32, except for the documentation file that moved under doc/outdated/.


0001-mod_auth-Implement-the-ssl-backend-method.patch Magnifier (10.9 KB) KiBi, 2012-08-14 22:04

Associated revisions

Revision 2894
Added by stbuehler about 2 years ago

[auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436)

can be combined with ssl:
ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
auth.require = ("/" => ( "require" => "valid-user", "method" => "extern") )

From: Stefan B├╝hler <>


#1 Updated by stbuehler over 2 years ago

  • Target version changed from 1.4.x to 1.4.33

#2 Updated by stbuehler about 2 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2894.

Also available in: Atom