Hi all,
I have a web (https://www.domain.com) that need to be accessed with and without TLS Client Certificate auth, depending on the URI.
For everyone accessing to www.domain.com I need TLS auth, but I need those accessing to www.domain.com/nocert not to present a certificate.
I have though to establish 2 ACLs but the client certificate request is set at the frontend config and don’t know how to do it, can you help me, please?
@lukastribus showed an excellent example of how to do this here with seperate domains/subdomains:
Hopefully, you can use a subdomain in a similar way because with a URI I can’t think of anything clever we can do as you will always need the client SSL settings in the frontend so users will always be prompted for a client cert…
I was trying to avoid the client certificate request for those who don’t need it, but I see it’s not possible. I cannot use the SNI solution, I have no control over the app that generates the URL not to be protected by TLS.
I think the solution is creating ACLs while permitting anyone to be asked for a certificate…
Yes, I’m afraid I agree, interestingly I find if a user has no client certificate installed in their browser at all most web browsers are clever enough to ignore a request to provide an optional client certificate.
I mention this in my Blog here:
Thanks Aaron, I’ll try with ACLs…