Apache:

Alias /w3pw "/var/www/default/foo"
<Directory "/var/www/default/foo/">
SSLOptions +StrictRequire +OptRenegotiate
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_VERIFY} eq "SUCCESS" \
and %{SSL_CLIENT_S_DN_Email} eq "my_email@my_domain" \
and %{SSL_CIPHER_USEKEYSIZE} >= 128 )
SSLRequireSSL
Options -Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Basically all I want to do is forbid access to /foo/index.php if client cert doesn't have what I am looking for. I have tried:

location ~ ^/w3pw/ {
if ($ssl_client_s_dn !~ "/CN=CAcert WoT User/emailAddress=my_email@my_domain") {
return 403;
}
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
}

The problem is that on success the php request is not passed on to the upstream php-fpm server. Instead, index.php gets served as a download.

Ended up just passing $ssl_client_raw_cert to fastcgi and writing some PHP to deal with authentication.