| Description: | Allow access only when an arbitrarily complex
boolean expression is true |
|---|
| Syntax: | SSLRequire expression |
|---|
| Context: | directory, .htaccess |
|---|
| Override: | AuthConfig |
|---|
| Status: | Extension |
|---|
| Module: | mod_ssl |
|---|
SSLRequire is deprecated
SSLRequire is deprecated and should in general be replaced
by Require expr. The so called
ap_expr syntax of Require expr is
a superset of the syntax of SSLRequire , with the following
exception:
In SSLRequire , the comparison operators < ,
<= , ... are completely equivalent to the operators
lt , le , ... and work in a somewhat peculiar way that
first compares the length of two strings and then the lexical order.
On the other hand, ap_expr has two sets of
comparison operators: The operators < ,
<= , ... do lexical string comparison, while the operators
-lt , -le , ... do integer comparison.
For the latter, there are also aliases without the leading dashes:
lt , le , ...
This directive specifies a general access requirement which has to be
fulfilled in order to allow access. It is a very powerful directive because the
requirement specification is an arbitrarily complex boolean expression
containing any number of access checks.
The expression must match the following syntax (given as a BNF
grammar notation):
expr ::= "true" | "false"
| "!" expr
| expr "&&" expr
| expr "||" expr
| "(" expr ")"
| comp
comp ::= word "==" word | word "eq" word
| word "!=" word | word "ne" word
| word "<" word | word "lt" word
| word "<=" word | word "le" word
| word ">" word | word "gt" word
| word ">=" word | word "ge" word
| word "in" "{" wordlist "}"
| word "in" "PeerExtList(" word ")"
| word "=~" regex
| word "!~" regex
wordlist ::= word
| wordlist "," word
word ::= digit
| cstring
| variable
| function
digit ::= [0-9]+
cstring ::= "..."
variable ::= "%{" varname "}"
function ::= funcname "(" funcargs ")"
For varname any of the variables described in Environment Variables can be used. For
funcname the available functions are listed in
the ap_expr documentation.
The expression is parsed into an internal machine
representation when the configuration is loaded, and then evaluated
during request processing. In .htaccess context, the expression is
both parsed and executed each time the .htaccess file is encountered during
request processing.
Example
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} -ge 1 and %{TIME_WDAY} -le 5 \
and %{TIME_HOUR} -ge 8 and %{TIME_HOUR} -le 20 ) \
or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
The PeerExtList(object-ID) function expects
to find zero or more instances of the X.509 certificate extension
identified by the given object ID (OID) in the client certificate.
The expression evaluates to true if the left-hand side string matches
exactly against the value of an extension identified with this OID.
(If multiple extensions with the same OID are present, at least one
extension must match).
Example
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
Notes on the PeerExtList function
The object ID can be specified either as a descriptive
name recognized by the SSL library, such as "nsComment" ,
or as a numeric OID, such as "1.2.3.4.5.6" .
Expressions with types known to the SSL library are rendered to
a string before comparison. For an extension with a type not
recognized by the SSL library, mod_ssl will parse the value if it is
one of the primitive ASN.1 types UTF8String, IA5String, VisibleString,
or BMPString. For an extension of one of these types, the string
value will be converted to UTF-8 if necessary, then compared against
the left-hand-side expression.
See also
- Environment Variables in Apache HTTP Server,
for additional examples.
- Require expr
- Generic expression syntax in Apache HTTP Server
