Project

General

Profile

Forums » Support »

Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf

Added by plmanikandan over 6 years ago

Hi All,
Is there any way to access SSL_CLIENT_VERIFY(only failed case) in lighttpd.conf and redirect to specific URI from conf file if SSL certificate is invalid or expired.
In case of ngnix it can be achieved like below
if ($ssl_client_verify = FAILED) {
I'm expecting similar variable in lighttpd.conf.

Thanks,
Mani


Replies (4)

RE: Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf - Added by gstrauss over 6 years ago

Sorry, not as straightforward in lighttpd, but possible.

If you require client certs, and require mod_auth to check that mod_openssl has authenticated the remote user, then you can configure the 401 Unauthorized error page to redirect.

ssl.verifyclient.activate = "enable" 
ssl.verifyclient.enforce = "enable" 
auth.require = ( "/" => ( "method" => "extern", "realm" => "any", "require" => "valid-user" ) )
auth.extern-authn = "enable"

Then use server.errorfile-prefix and write a simple 401.html error page which internally redirects to your desired location.

RE: Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf - Added by plmanikandan over 6 years ago

Thanks for your reply.
If user uses a expired certificate and using ssl.verifyclient.enforce = "enable" setting, will it redirect to 401?
My usecase is to redirect to 401.html when expired or invalid certificate is provided in request, is it possible to achieve through configuration changes

Thanks,
Mani

RE: Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf - Added by gstrauss over 6 years ago

Hi Mani. Please test it yourself and tell us all what you find.

RE: Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf - Added by SelviRaju over 5 years ago

Hi,

$HTTP["url"] == "^/index/welcome" {
        ssl.verifyclient.activate = "disable" 
        ssl.verifyclient.exportcert= "disable" 
    }else $HTTP["url"] =~ "^/index/welcome/*" {
        ssl.verifyclient.activate = "enable" 
        ssl.verifyclient.enforce = "disable" 
        ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" 
        ssl.verifyclient.exportcert= "enable" 
        ssl.verifyclient.depth = 1
    }

For invalid and expire certificate getting expected response for /index/welcome.

For valid certifcate /index/welcome/* getting 401 Unauthrozied.

Please share your input.

Thanks,
Selvi

    (1-4/4)