On Tue, Sep 20, 2005 at 05:32:32PM +0200, Martin Kraemer wrote:
> On Tue, Sep 20, 2005 at 12:12:53PM +0100, Joe Orton wrote:
> > >
> > > I haven't traced it: why is match_headers too early?
> >
> > match_headers is a header_parser hook, and header_parser hooks run
> > before auth hooks in request processing; per-dir SSL negotiation is an
> > auth hook.
> >
> > [...]
> > It has everything to do with mod_setenvif. If this were e.g. a
> > mod_rewrite extension instead it would work correctly for per-dir rules
> > since mod_rewrite per-dir rules are processed in a fixup hook - *after*
> > the auth hooks.
>
> Isn't that exactly what we wanted (and why it also works for me)?
No, you're missing the point. I'm talking about configurations where
"SSLVerifyClient require" is configured in per-location context rather
than at vhost context. In that case, the client cert has only been
negotiated when the auth hooks run, so trying to do anything with the
client cert *before* the auth hooks run is not going to work.
> "header_parser hooks run before auth hooks processing"
> So match_headers() gets called and sets the environment variable:
>
> SetEnvIf SSL_PeerExtList("1.3.6.1.4.1.18060.1") \
> "(committers|administrators)" \
> ThisUserHasAValidCert=$1
>
> Later on, you can control access (in dir context, if desired) by
>
> allow from env=ThisUserHasAValidCert
That's just SSLRequire reimplemented badly, as you say. What's the real
use-case for this feature, what problem are you trying to solve?
joe
