Apache dynamic paths with SSLRequire and dynamic aliases

Question

I have Apache/2.4.6 (Red Hat Enterprise Linux) serving some content to different customers based on their SSL certificate that we issue out. If the SSL_CLIENT_S_DN_OU matches the OU in client's cert, then they will be allowed access to /mydir/customerfolders/<OU> on the webserver.

Each customer's cert contains a unique OU that matches folders under /mydir/customerfolders/<OU> on the webserver.

Example scenario: cust1 has our certificate that contain OU=cust1 , so they will be allowed access to https://mywebserver/customerfolders/cust1 , which is basically a folder on our webserver : /mydir/customerfolders/cust1 .

I have been successful in creating dynamic aliases using AliasMatch that will redirect the url to the right folder, however I'd like to take it one step further by redirecting the dynamic alias to a dynamic path - instead of having to define individual <Directory> stanza for each customer's folder.

Something like :

AliasMatch "^/customerfolders/([a-zA-Z0-9]+)/(.+)" "/mydir/customerfolders/$1/$2"

<Directory "/mydir/customerfolders/$1">
   SSLRequire %{SSL_CLIENT_S_DN_O} eq "MyCompany" \
   and %{SSL_CLIENT_S_DN_OU} in {"$1"}
   Require all granted
   AllowOverride All
</Directory>

I have tried the above but got a Forbidden Request and the SSL error log has the following :

[Tue Jun 09 08:53:24.624038 2020] [ssl:error] [pid 24991] [client IPADDRESSS:49880] AH02229: access to /mydir/customerfolders/cust1 failed, reason: SSL requirement expression not fulfilled

I'm not really sure if the above method if possible or if I'm using it the right way. I want to utilize Rewrite but unsure how to tacke it with the SSLRequire directive.

Can someone help point me in the right direction?

UPDATE: I'm almost there...I just need the right regex for this :

    SSLRequire %{REQUEST_URI} =~ m#^/mydir/%{SSL_CLIENT_S_DN_OU}/(.*)#

Currently the above gave me an error:

Failed expression: %{REQUEST_URI} =~ m#^/mydir/%{SSL_CLIENT_S_DN_OU}/(.*)#

How can I change the regex so that it matches REQUEST_URI (which should be /mydir/%{SSL_CLIENT_S_DN_OU}/test.html Thanks J

UPDATED!! Thank you Mr. White! I have tried your code as below :

RewriteCond %{REQUEST_URI} "!^(/myserver/%{SSL:SSL_CLIENT_S_DN_OU}/.*)" [NC]
RewriteRule "^/mydir/(.*)$" "/myserver/mydir/$1"

   <Directory "/myserver/mydir">
        AllowOverride None
        SSLRequire %{SSL_CLIENT_S_DN_O} eq "MyCompany" \
              and %{REQUEST_URI}@@%{SSL_CLIENT_S_DN_OU} =~ m#^/soc/([^/]+)/(.*)@@\1#
              and %{SSL_CLIENT_I_DN_CN} eq "MyCA"
        Require all granted
    </Directory>

However, it is failing with the error:

SSLRequire: syntax error, unexpected T_ERROR: Parse error near '@'

What have I done wrong here..? :( All I'm trying to do is allow access to the right directories under /myserver/mydir (eg /myserver/mydir/cust1) based on the OU ....

I really appreciate your input.

Thanks J

Answer 1

SSLRequire %{REQUEST_URI} =~ m#^/mydir/%{SSL_CLIENT_S_DN_OU}/(.*)#

I don't believe you can't use a server variable (using %{var} syntax) directly in a regex like that (it's not valid regex syntax).

Maybe try something like the following instead:

SSLRequire %{REQUEST_URI}@@%{SSL_CLIENT_S_DN_OU} =~ m#^/mydir/([^/]+)/(.*)@@\1#

Where \1 is an internal backreference to the first captured group (ie. ([^/]+)) which matches against %{SSL_CLIENT_S_DN_OU}. @@ is just some arbitrary string that does not occur in the pattern.

This assumes SSL_CLIENT_S_DN_OU contains a string of the form cust1 - which does not contain slashes.

However, this is based on your code attempt, which appears to contradict with what you stated in the first part of the question: /mydir/customerfolders/<OU>?

Although, shouldn't you be using the new syntax... Require expr?

SSLRequire is deprecated and should in general be replaced by Require expr.

Reference: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslrequire