You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Luiz Gustavo Anflor Pereira <lu...@procergs.rs.gov.br> on 2005/07/18 15:51:12 UTC
[users@httpd] SSL headers through proxy
Hello all
I am trying to pass the cliente certificate through an apache configured with mod_ssl, mod-proxy and mod_headers.
The idea is the client being autenticated in the apache server, but the certificate being available to the backend server, something like this:
client <==> apache server (mod_proxy) <==> backend server
I need the client certificate in the backend server. All connectios are SSL/HTTPS.
I have tried all this configurations, but none worked.
#RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" env=SSL_CLIENT_S_DN
#RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}e" env=SSL_CLIENT_S_DN
#RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
#Header add SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" env=SSL_CLIENT_CERT
#Header add SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e" env=SSL_CLIENT_I_DN
ProxyPass /js https://.....
ProxyPassReverse /js https://....
If you could help me i would thank you so much... :-)
Regards, Luiz Gustavo
Re: [users@httpd] SSL headers through proxy
Posted by "Brian V. Hughes" <br...@alum.dartmouth.org>.
You don't say what version of Apache you are using. Hopefully, you are
using at least Apache 2.0.52, because what you want to accomplish can't
really be done with earlier versions. You do want to use mod_headers and
mod_proxy (sort of), but what you are missing is mod_rewrite. The
following is a snippet that you can place in a <VirtualHost> that should
get you what you need:
RewriteEngine on
# Get the SSL Client cert data, if present, and store in a temporary
# environment variabe, after we store it a RewriteCond backreference
# and then add it as a header for the proxy request
RewriteCond %{SSL:SSL_CLIENT_VERIFY} (.*)
RewriteRule .* - [E=SSLC_ON:%1]
RequestHeader add X-SSL-Client-On %{SSLC_ON}e
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} (.*)
RewriteRule .* - [E=SSLC_NAME:%1]
RequestHeader add X-SSL-Client-Name %{SSLC_NAME}e
# mod_rewite proxy request, uses a loopback to diff port on same server
RewriteRule ^/(.*)$ http://127.0.0.1:8080/$1 [P,L]
-Brian
Luiz Gustavo Anflor Pereira wrote:
> I am trying to pass the cliente certificate through an apache configured
> with mod_ssl, mod-proxy and mod_headers.
>
> The idea is the client being autenticated in the apache server, but the
> certificate being available to the backend server, something like this:
>
> client <==> apache server (mod_proxy) <==> backend server
>
> I need the client certificate in the backend server. All connectios are
> SSL/HTTPS.
>
> I have tried all this configurations, but none worked.
>
> #RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" env=SSL_CLIENT_S_DN
> #RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}e"
> env=SSL_CLIENT_S_DN
> #RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
> #Header add SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" env=SSL_CLIENT_CERT
> #Header add SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e" env=SSL_CLIENT_I_DN
>
> ProxyPass /js https://.....
> ProxyPassReverse /js https://....
>
> If you could help me i would thank you so much... :-)
>
> Regards, Luiz Gustavo
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org