How to auth with client certificates and not depending on URI

Hi all,

I have a web ( that need to be accessed with and without TLS Client Certificate auth, depending on the URI.

For everyone accessing to I need TLS auth, but I need those accessing to not to present a certificate.

I have though to establish 2 ACLs but the client certificate request is set at the frontend config and don’t know how to do it, can you help me, please?

@lukastribus showed an excellent example of how to do this here with seperate domains/subdomains:

Hopefully, you can use a subdomain in a similar way because with a URI I can’t think of anything clever we can do as you will always need the client SSL settings in the frontend so users will always be prompted for a client cert…


I was trying to avoid the client certificate request for those who don’t need it, but I see it’s not possible. I cannot use the SNI solution, I have no control over the app that generates the URL not to be protected by TLS.

I think the solution is creating ACLs while permitting anyone to be asked for a certificate…

Yes, I’m afraid I agree, interestingly I find if a user has no client certificate installed in their browser at all most web browsers are clever enough to ignore a request to provide an optional client certificate.

I mention this in my Blog here:

Thanks Aaron, I’ll try with ACLs…