On Tue, Sep 20, 2005 at 12:16:40PM +0200, Martin Kraemer wrote: > To recap the problem, Joe said: > > there > > seems to be a rather annoying fundamental problem: the match_headers > > hooks runs too early to be useful for this when doing per-dir client > > cert negotiation. > > I haven't traced it: why is match_headers too early?
match_headers is a header_parser hook, and header_parser hooks run before auth hooks in request processing; per-dir SSL negotiation is an auth hook. > In theory, the SSL negotiation has been done with before the request > and headers can be read. Of course, it would be too late for switching > on SSLVerifyClient in a per-dir-context unless it has already been on > globally. But that has nothing to do with mod_setenvif, only with the > way SSL requests work. It has everything to do with mod_setenvif. If this were e.g. a mod_rewrite extension instead it would work correctly for per-dir rules since mod_rewrite per-dir rules are processed in a fixup hook - *after* the auth hooks. joe
