Home / server / Questions / 289406
Accepted
zero_r
Asked: 2011-07-13 03:33:04 +0800 CST

apache client certificate if-else condition

  • 772

I have a <Location> within a virtualhost that looks like this:

  <Location /app1/>
    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLRequireSSL
    SSLOptions +OptRenegotiate
    SSLCipherSuite HIGH
    SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Customer1" \
    or %{SSL_CLIENT_S_DN_OU} eq "Customer2" \
    or %{SSL_CLIENT_S_DN_OU} eq "Customer3"
 </Location>

This requires everyone who wants to access /app1/ to present a client certificate to the server. Backend server is tomcat.

Is it possible to "route" visitors who don't authenticate to a different location than visitors who have a certificate? E.g. the ones with no certificate get less functionality...

Thank you

linux apache-2.2 mod-ssl

1 Answers

  1. Best Answer

    You can use mod_rewrite to send people somewhere else.

    At first, you must configure your Apache so that it allows people without a certificate in (i.e. use SSLVerifyClient optional) Note that this may break with certain browsers. Check this before going live.

    Then, as a second step, you can use mod_rewrite like so:

    RewriteEngine On
# Only match requests which don't have a proper client certificate
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !SUCCESS

# Prefix the URL for those people with /guest
RewriteRule ^/(.*)$ /guest/$1
    • 3