Hallo!
I am trying to implement the following setup
browser -> 443:pound -> 80:squid -> 80:apache
where it is possible to scale and switch/failover every element and
Pound seems to suit very well for https:// termination and load
balancing (probably being balanced itself).
Authentication to the website is done using client certificates
(actually these certificates reside on so-calles smartcard) so that
1. user authenticates herself once on URI /login/ and system and user
agree on session cookie
2. user's identity is based on the session cookie (it makes navigation
much quicker, at least in our case certificates being on smartcards)
(3. there could be possibly some other sensitive URI's where user needs
to specificially autenticate)
I managed following the manual to set up v 2.3.2 so that after providing
client certificate pound sends headers like
X-SSL-certificate: -----BEGIN CERTIFICATE-----
MIIENzCCAx+gAwIBAgIEQudJRTANBgkqhkiG9w0BAQUFADB8MRgwFgYJKoZIhvcN
AQkBFglwa2lAc2suZWUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKExlBUyBTZXJ0aWZp
....
And my question is is it possible to make Pound require client
certificate for cerntain URI only and not the whole website? I.e i would
like to get effect similar to Apache (or what kind of workaround do you
suggest)
<Location /login>
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient optional
SSLVerifyDepth 2
</Location>
Best Regards
Imre Oolberg
Re: [Pound Mailing List] how to make pound to require client certificate for cerntain URI only Robert Segall <roseg(at)apsis.ch>
On Mon, 2007-06-04 at 09:39 +0300, Imre Oolberg wrote:[...]
No, you can't. Pound either requests a certificate or it doesn't.
What you do with the certificate contents is another matter: they are
passed to the back-end, so your application can verify them - or not.[...]
