SSL : authenticate only clients for a particular URL
Added by ca6eca over 12 years ago
Hi...
I use apache webserver for my application, and I like to move from apache to lighttpd.
In my apache configuration a I have the follow:
DocumentRoot /var/www/html
<Directory /var/www/html>
SSLRequireSSL
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
SSLVerifyClient none
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
</Directory>
<Directory /var/www/html/autenticacao>
SSLRequireSSL
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
SSLVerifyClient require
allow from all
</Directory>
So, when I access the url https://localhost, the ssl conection work fine, without client authentication, and when I access the url https://localhost/autenticacao, from my application running in https://localhost, the client need authentication with certificate. For my application, this is fine.
But when a trying the same with lighttpd, i can't make this work. When I access https://localhost/autenticacao. the client certificate isn't requested.
Bellow is my config in lighttpd:
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/certificate/site/crt/lighttpd.pem"
ssl.ca-file = "/certificate/site/crt/ca_list_icpbrasil.crt"
server.document-root = "/var/www/html"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
$HTTP["url"] =~ "^/autenticacao/" {
ssl.verifyclient.activate = "enable"
# ssl.verifyclient.enforce = "enable"
ssl.verifyclient.exportcert = "enable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.depth = "3"
}
}
I found a reference for this issue on BUG 1288: http://redmine.lighttpd.net/issues/1288#note-11 , but with no answer.
Thanks for any help.