On Mon, Oct 1, 2012 at 7:54 AM, Mark Montague <mark@xxxxxxxxxxx> wrote:
>> On Sun, Sep 30, 2012 at 7:44 PM, Mark Montague <mark@xxxxxxxxxxx> wrote:
>>> On September 30, 2012 19:45 , Tom Browder <tom.browder@xxxxxxxxx> wrote:
>>>>
>>>> Does anyone have a pointer to help on restricting a directory to
>>>> access only with valid SSL Client Certificates and how to work CGI
>>>> scripts to respect that restriction?
...
> My assumption was that you wanted to allow the CGI to be invoked for
> requests from web browsers that did not present client certificates, but
> then wanted to restrict what the CGI could do.
> But if you have SSL related environment variables set, then this means that
> a client certificate was presented. Instead of changing the CGI to check
> for this, why not change the web server configuration to require the
> certificate in all cases? ("SSLVerifyClient require"). Then the SSL
> environment variables will always be set, and the CGI will never have to
> check them.
Mark, what I have is an SSL only site but with most of it publicly accessible.
I do want to check SSL envvars regardless so I've found I have to use
this directive in the general server context OUTSIDE the restricted
directory:
SSLVerifyClient optional
Inside the restricted area I have:
SSLVerifyClient require
The reason I do that is to log access by my clients even though they
don't attempt to enter the restricted area.
I have found that the configuration doesn't restrict CGI programs at
all as I have them placed, but I suspect (but haven't tested) that
they wouldn't work if placed inside the restricted area without the
user having a valid SSL client certificate.
Thanks for your attention to this area which is critical to me for my
site concept.
Best,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|