Feature #2245
closedSSL : authenticate only clients for a particular URL
Description
This kind of configuration does not work.
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/tmp/pub.pem"
ssl.ca-file = "/tmp/ca.pem"
ssl.verifyclient.activate = "disable"
$HTTP["url"] =~ "^/ssl-authentication-required/" {
ssl.verifyclient.activate = "enable"
ssl.verifyclient.depth = 2
}
}
There's no way, today to authenticate, in HTTPS, users only for a list of urls.
Apache, with mod_ssl, has this option (see : http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular)
Is there a way to have this feature in lighttpd?
Updated by ohe over 13 years ago
See also comments on issue 1288 : http://redmine.lighttpd.net/issues/1288#note-11
Updated by gstrauss over 7 years ago
- Category changed from TLS to mod_auth
It is not possible to do this in lighttpd at the moment since TLS/SSL negotiation and client cert verification currently occurs prior to reading the request (over the encrypted channel just negotiated). It should be possible to write a mod_authn_<backend>.c to plug into mod_auth to be able to provide this functionality.
For browsers using TLS SNI, it might already be possible to do this using $HTTP["host"] if you set up a vhost for login.example.com which is separate from the rest of the site. login.example.com could issue a secure, encrypted cookie after login which permits access to other .example.com sites without requiring client cert verification, though TLS connections to those other sites are still recommended.
Updated by gstrauss over 7 years ago
- Status changed from New to Patch Pending
- Target version set to 1.4.45
Updated by gstrauss over 7 years ago
- Target version changed from 1.4.45 to 1.4.46
Updated by gstrauss about 7 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 20946a8b920edfd2455b667b266b1cfcef3336ac.
Also available in: Atom