Using negation in LocationMatch directive

Question

Our site is running on apache and is secured using client certificates. So far there was only one certificate that would provide access to the whole site. Now, we have a requirement to expose jira to a new group of users who should not be able to access anything else but jira. I created a separate certificate for that group and planning to distinguish them by using SSLRequire and Location/LocationMatch combination.

So the criteria is:

1. Users with old certificate can access complete site
2. Users with new certificate can only access /jira URL pattern

I tried few combination but not able to get the negation for LocationMatch work. Any help would be appreciated.

The httpd.conf file, looks like this:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/myca.crt

<Location /jira> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} in {"AllUsers", "JiraUsers"}
</Location> 

<LocationMatch /!(jira)> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} eq "AllUsers"
</LocationMatch>

Thanks!

Answer 1

It was a matter of getting the regex right. The LocationMatch directive with the following regex worked fine.

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/myca.crt

<Location /jira> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} in {"AllUsers", "JiraUsers"}
</Location> 

<LocationMatch ^/[a-ik-zA-IK-Z]> 
   SSLRequire   %{SSL_CLIENT_S_DN_CN} eq "AllUsers"
</LocationMatch>

Answer 2

Apache2 uses pcre supporting perl5 RE syntax and this is possible using negative look-ahead as described on http://perldoc.perl.org/perlre.html#Extended-Patterns.

Answer 3

Negative regexes are not supported in apache 2.2

See https://issues.apache.org/bugzilla/show_bug.cgi?id=10932

I don't know if it has been fixed in the last apache version.

As a workaround, use :

<LocationMatch "/[^s][^t][^a][^t][^i][^c]">
</Location>

or

<LocationMatch "^/(?!static)">
</Location>