Actions
Feature #2415
closed[patch] Allow $HTTP["remoteuser"] to be used for certificate authorization
ASK QUESTIONS IN Forums:
Description
At the moment, it is possible to require client certificates from a trusted CA. However, there appears to be no way to require a specific certificate for authorization control.
With the attached patch, it is possible to use $HTTP["remoteuser"] in logic decisions by setting:
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
ssl.verifyclient.exportcert = "enable"
Example syntax could be:
$HTTP["url"] =~ "^/cert_required" {
$HTTP["remoteuser"] !~ "my cert CN" {
url.access-deny = ( "" )
}
}
Files
Updated by gstrauss over 8 years ago
- Status changed from New to Invalid
I believe what you are trying to do is already possible with mod_auth
auth.require = ("" => ( method = "extern", realm = "", require = "user=my cert CN" ) )
TLS SNI (if sent by client) occurs early in the connection, prior to when mod_auth runs for the request.
Updated by gstrauss over 8 years ago
Actions
Also available in: Atom