On Fri, Jan 21, 2011 at 11:07 AM, Martin Kuba <makub@xxxxxxxxxxx> wrote:
> Hi Tom,
>
> the normal access log does not contain SSL information. If you want it,
> create a special log using the directive CustomLog, i.e.
>
>
> CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log"
> "%v:%p %h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\"
> SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\"
> SSL_CLIENT_I_DN=\"%{SSL_CLIENT_I_DN}x\"
> SSL_CLIENT_VERIFY=\"%{SSL_CLIENT_VERIFY}x\""
Ah, see that's the thing - they can also authenticate in other ways, I
was slightly simplifying the situation. I was hoping that I could get
the same user information into the access logs regardless of how they
authenticate.
>
> See http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats Âfor
> details.
>
> By the way, I suggest you to replace the "SSLVerifyClient require" with
>
> SSLVerifyClient optional
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
> ErrorDocument 403 /certneedederror.html
>
> The big advantage is that when something goes wrong, the user will get
> a web page with a nice error message you have written, instead of some weird
> browser popup dialog window with an internal SSL error code.
Yes, that is much better! Thanks :)
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|