Project

General

Profile

Feature #2436

[mod_auth] Implement the ssl backend/method

Added by KiBi over 4 years ago. Updated over 3 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2012-08-14
Due date:
% Done:

100%

Missing in 1.5.x:
No

Description

Hello,

please let me quote the commit message, which should say it all:

[mod_auth] Implement the ssl backend/method.

When SSL client certificate verification if activated (even if not
enforced), one can specify a given field of the certificate to be used
as the username, making it possible to set access restrictions based
on that username. Connecting without a certificate means a denied
access to restricted paths (no username).

Configuration example:

    ssl.verifyclient.activate       = "enable" 
    ssl.verifyclient.enforce        = "disable" 
    # more ssl-related settings

    auth.backend = "ssl" 
    auth.backend.ssl.field = "SSL_CLIENT_S_DN_CN" 
    auth.require = (
        "/any-ssl-user" => (
            "require" => "valid-user",
            "method"  => "ssl" 
        ),
        "/only-specific-ssl-users" => (
             "require" => "user=james|user=alec",
             "method"  => "ssl" 
        )
    )

Signed-off-by: Cyril Brulebois <kibi@debian.org>

I've tested this successfully on 1.4.28; I've also tried to make sure misconfigurations are detected properly.

The patch applied cleanly on 1.4.32, except for the documentation file that moved under doc/outdated/.

Mraw,
KiBi.

Associated revisions

Revision f9d58670 (diff)
Added by stbuehler over 3 years ago

[auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436)

can be combined with ssl:
ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
auth.require = ("/" => ( "require" => "valid-user", "method" => "extern") )

From: Stefan Bühler <>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2894 152afb58-edef-0310-8abb-c4023f1b3aa9

Revision 2894 (diff)
Added by stbuehler over 3 years ago

[auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436)

can be combined with ssl:
ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
auth.require = ("/" => ( "require" => "valid-user", "method" => "extern") )

From: Stefan Bühler <>

History

#1 Updated by stbuehler over 3 years ago

  • Target version changed from 1.4.x to 1.4.33

#2 Updated by stbuehler over 3 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2894.

Also available in: Atom