You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Lucuk, Pete" <pe...@ngc.com> on 2006/11/22 19:21:13 UTC
[users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Hello,
I currently have a HTTPS reverse proxy setup and it works like a champ!
I am trying to pass the client cert from the reverse proxy to the
backend server in the headers like so...
RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:%1]
RequestHeader add X-SSL-Client-Cert %{SSLCC}e
RewriteRule ^/https(.*)$ https://kftcsu09.ftc.lab:6443/$1 [P,L]
Problem is, on the backend server that receives the request with client
cert. in the headers it looks like this...
XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
[21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
I only get the FIRST line of the client certificate...
-----BEGIN CERTIFICATE-----
And NOT the whole thing like...
-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
Stuff, stuff, stuff,
CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
-----END CERTIFICATE-----
I am assuming that the newlines in the client certificate on the reverse
proxy are hosing up sending the WHOLE client certificate.
How do I fix this problem?
Do I try to take out the new lines in rewrite somehow?, how do I do
that, I have no clue.
Do I try to do something else? What and how?
I have searched and could not find anything.
Thanks much for you help, I appreciate it.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by "Lucuk, Pete" <pe...@ngc.com>.
I am using httpd-2.2.3.
I read the first bug post and it seems that there was a fix but never
made it into the core code base?
Could I simply take the fix, replace it with current C file that is
causing me headaches, and recompile?
Thanks much for taking time and helping me, it is greatly appreciated!
>-----Original Message-----
>From: toadie D [mailto:toadie643@gmail.com]
>Sent: Wednesday, November 22, 2006 10:02 PM
>To: users@httpd.apache.org
>Subject: Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>in reverse proxy?
>
>>>If not, is there some simple way to yank out the new lines in
>>>SSL_CLIENT_CERT on the reverse proxy?
>
>Which apache version are you using ?
>
>http://issues.apache.org/bugzilla/show_bug.cgi?id=23223
>http://issues.apache.org/bugzilla/show_bug.cgi?id=19405
>http://issues.apache.org/bugzilla/show_bug.cgi?id=34975
>
>Some of the bugs above may be relevant to you b/c it deals
>with multi-line headers and how mod_headers in Apache folds them.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by toadie D <to...@gmail.com>.
>>If not, is there some simple way to yank out the new lines in
>> SSL_CLIENT_CERT on the reverse proxy?
Which apache version are you using ?
http://issues.apache.org/bugzilla/show_bug.cgi?id=23223
http://issues.apache.org/bugzilla/show_bug.cgi?id=19405
http://issues.apache.org/bugzilla/show_bug.cgi?id=34975
Some of the bugs above may be relevant to you b/c it deals with
multi-line headers and how mod_headers in Apache folds them.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by Serge Dubrouski <se...@gmail.com>.
I don't know too much about Jetty but I know for sure that you can use
AJP with JBoss. Configure AJP connector in server.xml for
catalina/tomcat part of JBoss, install mod_jk and
look for mod_jk ssl options on how to pass client certificate.
I really doubt that you can use regular mod_proxy for passing client
certificates. This question arised in the list several times but
nobody posted a wrking solution for it. I use Apache 2.2.3 + mod_jk +
AJP + Tomcat for that it works perfect. BTW. Apache 2.2.3 is a must.
On 11/22/06, Lucuk, Pete <pe...@ngc.com> wrote:
> The backend server is a 3.x version of Jboss that uses Jetty as the
> Servlet engine.
> Can you use AJP with Jetty?
>
> If not, is there some simple way to yank out the new lines in
> SSL_CLIENT_CERT on the reverse proxy?
>
> thanks
>
>
> >-----Original Message-----
> >From: Serge Dubrouski [mailto:sergeyfd@gmail.com]
> >Sent: Wednesday, November 22, 2006 2:37 PM
> >To: users@httpd.apache.org
> >Subject: Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
> >in reverse proxy?
> >
> >What is the backend serverf? If it's Tomcat or JBoss I'd
> >suggest to use AJP connector that allows to pass client
> >certificates to backend.
> >
> >On 11/22/06, Lucuk, Pete <pe...@ngc.com> wrote:
> >> Hello,
> >>
> >> I currently have a HTTPS reverse proxy setup and it works
> >like a champ!
> >>
> >> I am trying to pass the client cert from the reverse proxy to the
> >> backend server in the headers like so...
> >>
> >> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*) RewriteRule .* -
> >[E=SSLCC:%1]
> >> RequestHeader add X-SSL-Client-Cert %{SSLCC}e RewriteRule
> >^/https(.*)$
> >> https://kftcsu09.ftc.lab:6443/$1 [P,L]
> >>
> >> Problem is, on the backend server that receives the request with
> >> client cert. in the headers it looks like this...
> >>
> >> XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
> >> [21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-"
> >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
> >.NET CLR 1.1.4322)"
> >>
> >> I only get the FIRST line of the client certificate...
> >>
> >> -----BEGIN CERTIFICATE-----
> >>
> >> And NOT the whole thing like...
> >>
> >> -----BEGIN CERTIFICATE-----
> >> MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
> >> Stuff, stuff, stuff,
> >> CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
> >> -----END CERTIFICATE-----
> >>
> >>
> >> I am assuming that the newlines in the client certificate on the
> >> reverse proxy are hosing up sending the WHOLE client certificate.
> >>
> >> How do I fix this problem?
> >>
> >> Do I try to take out the new lines in rewrite somehow?, how do I do
> >> that, I have no clue.
> >>
> >> Do I try to do something else? What and how?
> >>
> >> I have searched and could not find anything.
> >>
> >> Thanks much for you help, I appreciate it.
> >>
> >> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by "Lucuk, Pete" <pe...@ngc.com>.
Tried doing it via the query string, and not the headers like this...
RewriteMap escape int:escape
RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:%1]
RewriteRule ^/https(.*)$
https://kftcsu09.ftc.lab:6443$1?CLIENT_CERT=${escape:%{ENV:SSLCC}}
[QSA,P]
And got this...
10.0.0.114 - - [27/Nov/2006:11:52:07 -0500] "GET
/?CLIENT_CERT=-----BEGIN%20CERTIFICATE----- HTTP/1.1" 200 4855 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)"
So, it does not appear that the whole client cert gets passed as a query
string either.
Do I even have the whole client certificate te begin with at the reverse
proxy server?
I am really trying NOT to use AJP module for multiple reasons, BUT am I
getting to a point where it is my only option to sucessfully proxy the
whole client certificate to the jboss server behind the proxy server?
>-----Original Message-----
>From: Lucuk, Pete [mailto:pete.lucuk@ngc.com]
>Sent: Monday, November 27, 2006 11:26 AM
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>in reverse proxy?
>
>
>This...
>
> RewriteMap escape int:escape
>
> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
> RewriteRule .* - [E=SSLCC:${escape:{%1}}]
> RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>
> RewriteRule ^/https(.*)$
>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>tHeaderEx
>ample$1 [P,L]
>
>Gets me this...
>
>user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
>SV1; .NET CLR 1.1.4322) x-ssl-client-on SUCCESS
>x-ssl-client-name Doug S. Barnhart x-ssl-client-cert
>%7b-----BEGIN%20CERTIFICATE-----%7d
>max-forwards 10
>x-forwarded-for 10.0.1.55
>
>And this...
>
>
> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
> RewriteRule .* - [E=SSLCC:%1]
> RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>
> RewriteRule ^/https(.*)$
>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>tHeaderEx
>ample$1 [P,L]
>
>Gets me this...
>
>user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
>SV1; .NET CLR 1.1.4322) x-ssl-client-on SUCCESS
>x-ssl-client-name Doug S. Barnhart x-ssl-client-cert
>-----BEGIN CERTIFICATE----- max-forwards 10 x-forwarded-for 10.0.1.55
>
>
>It appears that I am still not getting the whole ssl client
>cert even after the escape...
>
>
> RewriteRule .* - [E=SSLCC:${escape:{%1}}]
>
> x-ssl-client-cert %7b-----BEGIN%20CERTIFICATE-----%7d
>
>
>Am I doing something wrong on the escape?
>
>Bottom line, I am trying to get that whole client pem
>certificate to be pushed across in the header with no luck.
>
>
>>-----Original Message-----
>>From: Lucuk, Pete [mailto:pete.lucuk@ngc.com]
>>Sent: Monday, November 27, 2006 10:04 AM
>>To: users@httpd.apache.org
>>Subject: RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>in reverse
>>proxy?
>>
>>Where would I put the Rewrite escape function in the stuff below? I
>>tried a couple different things and could not get it to work. Thank
>>you for your help, I appreciate it
>>
>>
>>RewriteCond %{SSL:SSL_CLIENT_CERT} (.*) RewriteRule .* - [E=SSLCC:%1]
>>RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>>
>>RewriteRule ^/https(.*)$
>>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>>tHeaderEx
>>ample$1 [P,L]
>>
>>
>>>-----Original Message-----
>>>From: Max Dittrich [mailto:max.dittrich@t-online.de]
>>>Sent: Thursday, November 23, 2006 8:37 PM
>>>To: users@httpd.apache.org
>>>Subject: Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>>in reverse
>>>proxy?
>>>
>>>Lucuk, Pete schrieb:
>>>> The backend server is a 3.x version of Jboss that uses
>Jetty as the
>>>> Servlet engine.
>>>> Can you use AJP with Jetty?
>>>>
>>>> If not, is there some simple way to yank out the new lines in
>>>> SSL_CLIENT_CERT on the reverse proxy?
>>>
>>>I just looked up the Apache Docs, because I remembered those
>internal
>>>RewriteMaps. Maybe there's a chance using the internal RewriteMap
>>>'escape' to encode special characters like "\n".
>>>
>>>Limitations on the accepted length of headers (2048) may break this
>>>solution.
>>>
>>>hf,
>>>.max
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server
>>>Project.
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by "Lucuk, Pete" <pe...@ngc.com>.
This...
RewriteMap escape int:escape
RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:${escape:{%1}}]
RequestHeader add X-SSL-Client-Cert %{SSLCC}e
RewriteRule ^/https(.*)$
https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/RequestHeaderEx
ample$1 [P,L]
Gets me this...
user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322)
x-ssl-client-on SUCCESS
x-ssl-client-name Doug S. Barnhart
x-ssl-client-cert %7b-----BEGIN%20CERTIFICATE-----%7d
max-forwards 10
x-forwarded-for 10.0.1.55
And this...
RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:%1]
RequestHeader add X-SSL-Client-Cert %{SSLCC}e
RewriteRule ^/https(.*)$
https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/RequestHeaderEx
ample$1 [P,L]
Gets me this...
user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322)
x-ssl-client-on SUCCESS
x-ssl-client-name Doug S. Barnhart
x-ssl-client-cert -----BEGIN CERTIFICATE-----
max-forwards 10
x-forwarded-for 10.0.1.55
It appears that I am still not getting the whole ssl client cert even
after the escape...
RewriteRule .* - [E=SSLCC:${escape:{%1}}]
x-ssl-client-cert %7b-----BEGIN%20CERTIFICATE-----%7d
Am I doing something wrong on the escape?
Bottom line, I am trying to get that whole client pem certificate to be
pushed across in the header with no luck.
>-----Original Message-----
>From: Lucuk, Pete [mailto:pete.lucuk@ngc.com]
>Sent: Monday, November 27, 2006 10:04 AM
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>in reverse proxy?
>
>Where would I put the Rewrite escape function in the stuff
>below? I tried a couple different things and could not get it
>to work. Thank you for your help, I appreciate it
>
>
>RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
>RewriteRule .* - [E=SSLCC:%1]
>RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>
>RewriteRule ^/https(.*)$
>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>tHeaderEx
>ample$1 [P,L]
>
>
>>-----Original Message-----
>>From: Max Dittrich [mailto:max.dittrich@t-online.de]
>>Sent: Thursday, November 23, 2006 8:37 PM
>>To: users@httpd.apache.org
>>Subject: Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>in reverse
>>proxy?
>>
>>Lucuk, Pete schrieb:
>>> The backend server is a 3.x version of Jboss that uses Jetty as the
>>> Servlet engine.
>>> Can you use AJP with Jetty?
>>>
>>> If not, is there some simple way to yank out the new lines in
>>> SSL_CLIENT_CERT on the reverse proxy?
>>
>>I just looked up the Apache Docs, because I remembered those internal
>>RewriteMaps. Maybe there's a chance using the internal RewriteMap
>>'escape' to encode special characters like "\n".
>>
>>Limitations on the accepted length of headers (2048) may break this
>>solution.
>>
>>hf,
>>.max
>>
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by "Lucuk, Pete" <pe...@ngc.com>.
Where would I put the Rewrite escape function in the stuff below? I
tried a couple different things and could not get it to work. Thank you
for your help, I appreciate it
RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:%1]
RequestHeader add X-SSL-Client-Cert %{SSLCC}e
RewriteRule ^/https(.*)$
https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/RequestHeaderEx
ample$1 [P,L]
>-----Original Message-----
>From: Max Dittrich [mailto:max.dittrich@t-online.de]
>Sent: Thursday, November 23, 2006 8:37 PM
>To: users@httpd.apache.org
>Subject: Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>in reverse proxy?
>
>Lucuk, Pete schrieb:
>> The backend server is a 3.x version of Jboss that uses Jetty as the
>> Servlet engine.
>> Can you use AJP with Jetty?
>>
>> If not, is there some simple way to yank out the new lines in
>> SSL_CLIENT_CERT on the reverse proxy?
>
>I just looked up the Apache Docs, because I remembered those
>internal RewriteMaps. Maybe there's a chance using the
>internal RewriteMap 'escape' to encode special characters like "\n".
>
>Limitations on the accepted length of headers (2048) may break
>this solution.
>
>hf,
>.max
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by Max Dittrich <ma...@t-online.de>.
Lucuk, Pete schrieb:
> The backend server is a 3.x version of Jboss that uses Jetty as the
> Servlet engine.
> Can you use AJP with Jetty?
>
> If not, is there some simple way to yank out the new lines in
> SSL_CLIENT_CERT on the reverse proxy?
I just looked up the Apache Docs, because I remembered those internal
RewriteMaps. Maybe there's a chance using the internal RewriteMap
'escape' to encode special characters like "\n".
Limitations on the accepted length of headers (2048) may break this
solution.
hf,
.max
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by "Lucuk, Pete" <pe...@ngc.com>.
The backend server is a 3.x version of Jboss that uses Jetty as the
Servlet engine.
Can you use AJP with Jetty?
If not, is there some simple way to yank out the new lines in
SSL_CLIENT_CERT on the reverse proxy?
thanks
>-----Original Message-----
>From: Serge Dubrouski [mailto:sergeyfd@gmail.com]
>Sent: Wednesday, November 22, 2006 2:37 PM
>To: users@httpd.apache.org
>Subject: Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>in reverse proxy?
>
>What is the backend serverf? If it's Tomcat or JBoss I'd
>suggest to use AJP connector that allows to pass client
>certificates to backend.
>
>On 11/22/06, Lucuk, Pete <pe...@ngc.com> wrote:
>> Hello,
>>
>> I currently have a HTTPS reverse proxy setup and it works
>like a champ!
>>
>> I am trying to pass the client cert from the reverse proxy to the
>> backend server in the headers like so...
>>
>> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*) RewriteRule .* -
>[E=SSLCC:%1]
>> RequestHeader add X-SSL-Client-Cert %{SSLCC}e RewriteRule
>^/https(.*)$
>> https://kftcsu09.ftc.lab:6443/$1 [P,L]
>>
>> Problem is, on the backend server that receives the request with
>> client cert. in the headers it looks like this...
>>
>> XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
>> [21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-"
>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
>.NET CLR 1.1.4322)"
>>
>> I only get the FIRST line of the client certificate...
>>
>> -----BEGIN CERTIFICATE-----
>>
>> And NOT the whole thing like...
>>
>> -----BEGIN CERTIFICATE-----
>> MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
>> Stuff, stuff, stuff,
>> CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
>> -----END CERTIFICATE-----
>>
>>
>> I am assuming that the newlines in the client certificate on the
>> reverse proxy are hosing up sending the WHOLE client certificate.
>>
>> How do I fix this problem?
>>
>> Do I try to take out the new lines in rewrite somehow?, how do I do
>> that, I have no clue.
>>
>> Do I try to do something else? What and how?
>>
>> I have searched and could not find anything.
>>
>> Thanks much for you help, I appreciate it.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP
>Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Posted by Serge Dubrouski <se...@gmail.com>.
What is the backend serverf? If it's Tomcat or JBoss I'd suggest to
use AJP connector that allows to pass client certificates to backend.
On 11/22/06, Lucuk, Pete <pe...@ngc.com> wrote:
> Hello,
>
> I currently have a HTTPS reverse proxy setup and it works like a champ!
>
> I am trying to pass the client cert from the reverse proxy to the
> backend server in the headers like so...
>
> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
> RewriteRule .* - [E=SSLCC:%1]
> RequestHeader add X-SSL-Client-Cert %{SSLCC}e
> RewriteRule ^/https(.*)$ https://kftcsu09.ftc.lab:6443/$1 [P,L]
>
> Problem is, on the backend server that receives the request with client
> cert. in the headers it looks like this...
>
> XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
> [21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>
> I only get the FIRST line of the client certificate...
>
> -----BEGIN CERTIFICATE-----
>
> And NOT the whole thing like...
>
> -----BEGIN CERTIFICATE-----
> MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
> Stuff, stuff, stuff,
> CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
> -----END CERTIFICATE-----
>
>
> I am assuming that the newlines in the client certificate on the reverse
> proxy are hosing up sending the WHOLE client certificate.
>
> How do I fix this problem?
>
> Do I try to take out the new lines in rewrite somehow?, how do I do
> that, I have no clue.
>
> Do I try to do something else? What and how?
>
> I have searched and could not find anything.
>
> Thanks much for you help, I appreciate it.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org