On Fri, Jan 21, 2011 at 11:07 AM, Martin Kuba <ma...@ics.muni.cz> wrote:
> Hi Tom,
>
> the normal access log does not contain SSL information. If you want it,
> create a special log using the directive CustomLog, i.e.
>
>
> CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y/%m/%d/ssl_request.log"
> "%v:%p %h %l %u %t \"%r\" %>s %b \"%{User-Agent}i\"
> SSL_PROTOCOL=%{SSL_PROTOCOL}x SSL_CLIENT_S_DN=\"%{SSL_CLIENT_S_DN}x\"
> SSL_CLIENT_I_DN=\"%{SSL_CLIENT_I_DN}x\"
> SSL_CLIENT_VERIFY=\"%{SSL_CLIENT_VERIFY}x\""Ah, see that's the thing - they can also authenticate in other ways, I was slightly simplifying the situation. I was hoping that I could get the same user information into the access logs regardless of how they authenticate. > > See http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats for > details. > > By the way, I suggest you to replace the "SSLVerifyClient require" with > > SSLVerifyClient optional > SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" > ErrorDocument 403 /certneedederror.html > > The big advantage is that when something goes wrong, the user will get > a web page with a nice error message you have written, instead of some weird > browser popup dialog window with an internal SSL error code. Yes, that is much better! Thanks :) Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
