On a kind of "intranet" website, which is secured with username/password combinations and HTTPS I've implemented the next feature:
- Authorized users can read everything on the website
- Files with in their filename "classified" requires a valid SSL-Client certificate...
Here is the output of my apache config:
<Directory /usr/sites/ssl-site/intranet/htdocs>Options Indexes MultiViews
AllowOverride Authconfig
Order allow,deny
Allow from all
AuthName "intranet"
AuthType "Basic"
AuthUserFile /usr/sites/ssl-site/intranet/etc/users.pwl
require valid-user
</Directory>
<LocationMatch .*(c|C)(l|L)(a|A)(s|S)(s|S)(i|I)(f|F)(i|I)(e|E)(d|D).+>
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +OptRenegotiate
</LocationMatch>
I still have to sort out some issues, like directories having a directory with the name "classified" in them.
