Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf
Added by plmanikandan over 6 years ago
Hi All,
Is there any way to access SSL_CLIENT_VERIFY(only failed case) in lighttpd.conf and redirect to specific URI from conf file if SSL certificate is invalid or expired.
In case of ngnix it can be achieved like below
if ($ssl_client_verify = FAILED) {
I'm expecting similar variable in lighttpd.conf.
Thanks,
Mani
Replies (4)
RE: Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf - Added by gstrauss over 6 years ago
Sorry, not as straightforward in lighttpd, but possible.
If you require client certs, and require mod_auth to check that mod_openssl has authenticated the remote user, then you can configure the 401 Unauthorized error page to redirect.
ssl.verifyclient.activate = "enable" ssl.verifyclient.enforce = "enable" auth.require = ( "/" => ( "method" => "extern", "realm" => "any", "require" => "valid-user" ) ) auth.extern-authn = "enable"
Then use server.errorfile-prefix and write a simple 401.html error page which internally redirects to your desired location.
RE: Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf - Added by plmanikandan over 6 years ago
Thanks for your reply.
If user uses a expired certificate and using ssl.verifyclient.enforce = "enable" setting, will it redirect to 401?
My usecase is to redirect to 401.html when expired or invalid certificate is provided in request, is it possible to achieve through configuration changes
Thanks,
Mani
RE: Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf - Added by gstrauss over 6 years ago
Hi Mani. Please test it yourself and tell us all what you find.
RE: Accessing SSL_CLIENT_VERIFY status and redirecting to uri in lighttpd.conf - Added by SelviRaju over 5 years ago
Hi,
$HTTP["url"] == "^/index/welcome" {
ssl.verifyclient.activate = "disable"
ssl.verifyclient.exportcert= "disable"
}else $HTTP["url"] =~ "^/index/welcome/*" {
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "disable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.exportcert= "enable"
ssl.verifyclient.depth = 1
}
For invalid and expire certificate getting expected response for /index/welcome.
For valid certifcate /index/welcome/* getting 401 Unauthrozied.
Please share your input.
Thanks,
Selvi