httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Ivanov <>
Subject [users@httpd] filtering by IP SAN entries in the client certificate
Date Wed, 15 Feb 2017 10:31:53 GMT
I have a requirement to check incoming requests, something that would
be succinctly
expressed this way:

<Location />
    Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"

This would check that the request IP address is among the IP addresses in
the client certificate.

Unfortunately, this doesn't work:
1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
mod_nss, which exports it
2. The expression evaluation engine doesn't know how to evaluate this kind
of expression
3. I've tried using mod_lua for the expression, but it can't access this
kind of environment variables (and the SSL specific only if exposed by
mod_ssl, not other modules, like mod_nss)

I have ran out of ideas on what to try.

Please help.

Thank you.

View raw message