You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Margus Pärt <ma...@ria.ee> on 2010/07/22 17:22:48 UTC
[users@httpd] SetEnvIf, setting value from other env value
Hi,
-
I have Apache nodes behind Apache LB and I try to get SSL_* values transparently to application, queries go:
Client -> Apache LB -> Apache
-
My currenty tested and working solution is as follows:
LB:
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
Apache:
RewriteEngine On
RewriteRule .* - [E=SSL_CLIENT_CERT:%{HTTP:SSL_CLIENT_CERT}]
-
But I would like to have following solution (or something similar and working:)):
SetEnvIfNoCase SSL_CLIENT_CERT ^.. SSL_CLIENT_CERT=%{HTTP:SSL_CLIENT_CERT}
Please answer to:
1. Problem with currently working solution is that every virtualhost has to have RewriteEngine On and RewriteOptions inherit, SetEnvIf would be much cleaner and, as I see it, faster, but it does not work - from looking at documentation (http://httpd.apache.org/docs/2.1/mod/mod_setenvif.html) it seems that variables there are not supported - so my question is, can anyone suggest a better solution, and perhaps refer to any good documentation (apache's own documentation is good, but sometimes it does not cover all the scenarios.)
2. How it is good practice to do SSL offloading, application themselves should be smart enough to read from headers? I noticed, that for example for mod_weblogic headers must not be separately sent using mod_headers - mod_weblogic takes SSL parameters from local env, sends them in its own format to backend and SSL_CLIENT_CERT are available for application also - is there any other similar alternative for just plain HTTP proxying for Apache?
Best regards,
Margus Pärt
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] RE: SetEnvIf, setting value from other env value
Posted by Margus Pärt <ma...@ria.ee>.
As I was reading old documentation, I did not find what I was looking for at the first time. Lauri from #linux.ee, thank you. :)
SetEnvIf SSL_CLIENT_CERT "(..*)" SSL_CLIENT_CERT=$1
Br,
Margus Pärt
-----Original Message-----
From: Margus Pärt
Sent: Thursday, July 22, 2010 6:23 PM
To: 'users@httpd.apache.org'
Subject: SetEnvIf, setting value from other env value
Hi,
-
I have Apache nodes behind Apache LB and I try to get SSL_* values transparently to application, queries go:
Client -> Apache LB -> Apache
-
My currenty tested and working solution is as follows:
LB:
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
Apache:
RewriteEngine On
RewriteRule .* - [E=SSL_CLIENT_CERT:%{HTTP:SSL_CLIENT_CERT}]
-
But I would like to have following solution (or something similar and working:)):
SetEnvIfNoCase SSL_CLIENT_CERT ^.. SSL_CLIENT_CERT=%{HTTP:SSL_CLIENT_CERT}
Please answer to:
1. Problem with currently working solution is that every virtualhost has to have RewriteEngine On and RewriteOptions inherit, SetEnvIf would be much cleaner and, as I see it, faster, but it does not work - from looking at documentation (http://httpd.apache.org/docs/2.1/mod/mod_setenvif.html) it seems that variables there are not supported - so my question is, can anyone suggest a better solution, and perhaps refer to any good documentation (apache's own documentation is good, but sometimes it does not cover all the scenarios.)
2. How it is good practice to do SSL offloading, application themselves should be smart enough to read from headers? I noticed, that for example for mod_weblogic headers must not be separately sent using mod_headers - mod_weblogic takes SSL parameters from local env, sends them in its own format to backend and SSL_CLIENT_CERT are available for application also - is there any other similar alternative for just plain HTTP proxying for Apache?
Best regards,
Margus Pärt
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org