I have a node.js based web app that requires secure (https) connections from client. What I want is that on some paths client certificate authentication is required and on other paths not.
So for example. If user goes to https://www.example.com/main the server doesn't require client certificate authentication (and thus the browser won't ask anything). But if the user navigates to https://www.example.com/secure, then the client certificate authentication would be required (and thus the browser will pop up a dialog for selecting which certificate to use).
How can I make this happen. I am able to force client certificate authentication if I pass requestCert:true and rejectUnauthorized:true to https.createServer options. The problem with this approach is that client certificate is required for every path.
I am not sure if i exactly understand what you want.. but based on my understanding if you are using express you can manage this thing by a simple middle-ware.. In that middle-ware you can track either request is coming from http or https through this
An HTTPS connection has req.connection.encrypted (an object with information about the SSL connection). An HTTP connection doesn't have req.connection.encrypted.
Also (from the docs):
With HTTPS support, use request.connection.verifyPeer() and request.connection.getPeerCertificate() to obtain the client's authentication details.
I hope this helps..