{
    # vim: ft=perl:


    $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';

    $OUT = '';
    if ((${'httpd-pki'}{'status'} || 'disabled') eq 'enabled'){

        if (($port eq "80") && ($haveSSL eq 'yes')){
            $OUT .= "    RewriteRule ^/phpki(/.*|\$)    https://%{HTTP_HOST}/phpki\$1 [L,R]\n";
        }
        else{
            $OUT .= "    ProxyPass /phpki http://127.0.0.1:${'httpd-pki'}{TCPPort}/phpki\n";
            $OUT .= "    ProxyPassReverse /phpki http://127.0.0.1:${'httpd-pki'}{TCPPort}/phpki\n";
            # mod_auth_tkt needs to know the protocol to write  307 redirection
            $OUT .= "    RequestHeader set X-Forwarded-Proto \"https\"\n";

        }

        $OUT .=<<"HERE";
    <Location /phpki>
        SSLRequireSSL on
        Require ip $localAccess $externalSSLAccess
        Header edit Location ^http: https:
    </Location>
    # we want Public access to  ns_revoke_query.php
    <Location /phpki/ns_revoke_query.php>
        Require all granted
    </Location>
    # we want Public access to  policy
    <Location /phpki/policy.html>
        Require all granted
    </Location>
    # we want Public access to help 
    <Location /phpki/help>
        Require all granted
    </Location>
    <Location /phpki/help.php>
        Require all granted
    </Location>
    # we want Public access to crl list
    <Location /phpki/dl_crl.php>
        Require all granted
    </Location>
    <Location /phpki/dl_crl_pem.php>
        Require all granted
    </Location>
    # and we redirect old config to our new safer script
    RewriteEngine On
    RewriteCond %{QUERY_STRING} stage=dl_crl(&|\$)
    RewriteRule ^ /phpki/dl_crl.php [QSD,R=302,L]
    RewriteCond %{QUERY_STRING} stage=dl_crl_pem(&|\$)
    RewriteRule ^ /phpki/dl_crl_pem.php [QSD,R=302,L]

HERE
   # safely redirect crl request to php script striping all GET requests 
   # but would leave POST
   #RewriteEngine On
   #RewriteCond %{REQUEST_URI} ^/?phpki/dl_crl/?\$
   #RewriteRule ^ /phpki/index.php?stage=dl_crl [P,NC]

    }
}
