Apache 2.4: Require client certificate only for non-GET methods

apache-2.4 client-certificate mod-ssl

You can use mod_ssl with basic auth to allow only who have presented a valid certificate. You need to modify the LimitExcept part like this:

<LimitExcept GET>
    AuthType Basic
    AuthName "no-GET thingy"
    Require ssl-verify-client
</LimitExcept>

You can use any number and combination of Require statements, so if you want to check the certificate properties as well, you can do something like this:

<LimitExcept GET>
    AuthType Basic
    AuthName "no-GET thingy"
    <RequireAll>
        Require ssl-verify-client
        Require expr "'${SSL_CLIENT_S_DN_O}' == 'org'"
        Require expr "'${SSL_CLIENT_S_DN_OUT}' == 'theOU'"
        Require expr "'${SSL_CLIENT_S_DN_CN}' != 'notThisUser'"
    </RequireAll>
</LimitExcept>

Related

Why is AWS shutting down automatically all the instances launched after the fifth?
Using Nginx real_ip when you don't know the intermediate proxy IP addresses
Why does the Cisco RV180 not let me use a 255.255.254.0 subnet mask with a 192.168.2.1 LAN IP address?
What was the PS1's Parallel I/O port used for?
What causes Nova's Triple Tap to go on a short cooldown?
How many name prefixes can be stacked onto one weapon?
Does the enemy see Hanzo's sonar?
Using Wii U on wireless network with username and password
Does Mercy's damage boost apply to turrets? [duplicate]
Getting rid of 1000 plus bounty [duplicate]
How to spot an imminent dragon attack?
I Can't Place Modded Blocks on my Minecraft Server