Hello,

I have to deploy experimental web services and to limit their access to a
limited (but varying) list of people (well, computers). The web services are
developed in C++ using gsoap.

The solution used is to hide the services behind an Apache server using
mod_proxy to redirect queries to the services.

The authentication is handled through mod_ssl asking to present a certificate
and filtering users on their DN.

Everything works but I'm not administrator of the Apache server. Thus, I
cannot edit myself the virtual host SSLRequire definition. I have to ask to
the administrator through a somewhat long process.

We think that we could place the SSLRequire in a .htaccess of a folder I would
have the rights on, the mod_proxy handled folders being subfolders of this
one. The problem here is that the proxying is applied before the SSL
certificate verification.

Is there a way to allow me to modify the authorized certificates list without
having full administrative rights ?

Thanks in advance.

Regards,

Gaël

PS: below are some parts of my configuration files
mod_proxy.conf
ProxyPass /a/service http://localhost:10001/

/etc/httpd/conf/vhosts.d/01_default_ssl_vhost.conf
SSLVerifyClient require
SSLVerifyDepth 10

a/.htaccess
SSLRequireSSL
SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/MY CN/ )

--
Gael de Chalendar
CEA-LIST
Centre de Fontenay-aux-Roses
Laboratoire d'Ingénierie de la Connaissance Multimédia Multilingue (LIC2M)
(Multimedia and Multilingual Knowledge Engineering Laboratory)
Bat. 38-2 ; 18, rue du Panorama ; BP 6
92265 Fontenay aux Roses Cedex ; France
Tél.:01.46.54.80.18 ; Fax.:01.46.54.75.80
Email : Gael.D.O.T.de-Chalendar.A@T.cea.D.O.T.fr
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org