How to auth with client certificates and not depending on URI


#1

Hi all,

I have a web (https://www.domain.com) that need to be accessed with and without TLS Client Certificate auth, depending on the URI.

For everyone accessing to www.domain.com I need TLS auth, but I need those accessing to www.domain.com/nocert not to present a certificate.

I have though to establish 2 ACLs but the client certificate request is set at the frontend config and don’t know how to do it, can you help me, please?


#2

@lukastribus showed an excellent example of how to do this here with seperate domains/subdomains:

Hopefully, you can use a subdomain in a similar way because with a URI I can’t think of anything clever we can do as you will always need the client SSL settings in the frontend so users will always be prompted for a client cert…


#3

:frowning:

I was trying to avoid the client certificate request for those who don’t need it, but I see it’s not possible. I cannot use the SNI solution, I have no control over the app that generates the URL not to be protected by TLS.

I think the solution is creating ACLs while permitting anyone to be asked for a certificate…


#4

Yes, I’m afraid I agree, interestingly I find if a user has no client certificate installed in their browser at all most web browsers are clever enough to ignore a request to provide an optional client certificate.

I mention this in my Blog here:


#5

Thanks Aaron, I’ll try with ACLs…