apache client certificate if-else condition

Question

I have a <Location> within a virtualhost that looks like this:

  <Location /app1/>
    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLRequireSSL
    SSLOptions +OptRenegotiate
    SSLCipherSuite HIGH
    SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Customer1" \
    or %{SSL_CLIENT_S_DN_OU} eq "Customer2" \
    or %{SSL_CLIENT_S_DN_OU} eq "Customer3"
 </Location>

This requires everyone who wants to access /app1/ to present a client certificate to the server. Backend server is tomcat.

Is it possible to "route" visitors who don't authenticate to a different location than visitors who have a certificate? E.g. the ones with no certificate get less functionality...

Thank you

score 3 · Accepted Answer · answered Jul 12 '11 at 14:52

You can use mod_rewrite to send people somewhere else.

At first, you must configure your Apache so that it allows people without a certificate in (i.e. use SSLVerifyClient optional) Note that this may break with certain browsers. Check this before going live.

Then, as a second step, you can use mod_rewrite like so:

RewriteEngine On
# Only match requests which don't have a proper client certificate
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !SUCCESS

# Prefix the URL for those people with /guest
RewriteRule ^/(.*)$ /guest/$1

Thx for the hint, I will try that. – zero_r Jul 13 '11 at 08:40 — zero_r, Jul 13 '11 at 08:40

apache client certificate if-else condition

1 Answers1