On Tue, Sep 20, 2005 at 12:12:53PM +0100, Joe Orton wrote:
> >
> > I haven't traced it: why is match_headers too early?
>
> match_headers is a header_parser hook, and header_parser hooks run
> before auth hooks in request processing; per-dir SSL negotiation is an
> auth hook.
>
> [...]
> It has everything to do with mod_setenvif. If this were e.g. a
> mod_rewrite extension instead it would work correctly for per-dir rules
> since mod_rewrite per-dir rules are processed in a fixup hook - *after*
> the auth hooks.
Isn't that exactly what we wanted (and why it also works for me)?
"header_parser hooks run before auth hooks processing"
So match_headers() gets called and sets the environment variable:
SetEnvIf SSL_PeerExtList("1.3.6.1.4.1.18060.1") \
"(committers|administrators)" \
ThisUserHasAValidCert=$1
Later on, you can control access (in dir context, if desired) by
allow from env=ThisUserHasAValidCert
Or, if you want to do it without the (IMHO more general) environment
method, use mod_ssl configuration only;
SSLRequire "administrators" in PeerExtList("1.3.6.1.4.1.18060.1") \
|| "committers" in PeerExtList("1.3.6.1.4.1.18060.1")
and that can also be put into directory context and has been tested
to work.
Martin
--
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-48332 | 81730 Munich, Germany
