You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Martin Drescher <dr...@snafu.de> on 2012/11/05 12:32:23 UTC
[users@httpd] Setting REMOTE_USER to %{SSL:HTTP_SSL_CLIENT_S_DN_CN}
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Folks.
I would like to set the REMOTE_USER environment to the value of
%{HTTP_SSL_CLIENT_S_DN_CN}.
After reading the fine manual e few time I think it should work with that:
RewriteEngine On
RewriteCond %{SSL:HTTP_SSL_CLIENT_S_DN_CN} (.+)
RewriteRule ^.*$ - [E=REMOTE_USER:$1]
Tried some variations, but it does not :-(
Could someone help me out with this?
Thanks, Martin
- --
Martin Drescher
GnuPG Key Fingerprint, KeyID '4FBE451A':
'2237 1E95 8E50 E825 9FE8 AEE1 6FF4 1E34 4FBE 451A'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCXo8MACgkQb/QeNE++RRoyCACfdJoNvjSH/r6IruyMkQBini1B
xicAn0KJ9oknXSV8Y0Dc+zaEdcmWFals
=EbRz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Solved: [users@httpd] Setting REMOTE_USER to %{SSL:HTTP_SSL_CLIENT_S_DN_CN}
Posted by Martin Drescher <dr...@snafu.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Folks.
For all running x509 based AUTHENTICATION on a reverse proxy (Using
ProxyPass, even with jk_module) and AUTHORIZATION in a backend server
(eg a Nagios...) this may help:
1. Copy interesting x509 attributes (HTTP_SSL_SERVER_S_DN or
HTTP_SSL_CLIENT_S_DN_CN) to a RequestHeader in the reverse proxy. To
avoid naming conflicts I took X-Forwarded-SSL_CLIENT_S_DN_CN:
[...]
RequestHeader set X-Forwarded-SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
[...]
2. On the backend server copy that HTTP header to httpd's REMOTE_USER
environment using mod_rewite:
[...]
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL_CLIENT_S_DN_CN} (.*)
RewriteRule ^.*$ - [E=REMOTE_USER:%1]
[...]
Caution: The backend server trusts the reverse proxy requests fully!
Sanitize your headers carefully there.
Martin
- --
Martin Drescher
GnuPG Key Fingerprint, KeyID '4FBE451A':
'2237 1E95 8E50 E825 9FE8 AEE1 6FF4 1E34 4FBE 451A'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCYBc8ACgkQb/QeNE++RRrbTwCgj9U8wCW2sYxEzmSoKUkSCyaG
8tQAoJQFDrJ1xza5OPUJsRihSBzGe+ju
=cmTi
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Setting REMOTE_USER to %{SSL:HTTP_SSL_CLIENT_S_DN_CN}
Posted by Mark Montague <ma...@catseye.org>.
On November 5, 2012 10:24 , Martin Drescher <dr...@snafu.de> wrote:
> On 05/11/12 14:35, Mark Montague wrote:
>> On November 5, 2012 6:32 , Martin Drescher <dr...@snafu.de>
>> wrote:
>>> > I would like to set the REMOTE_USER environment to the value of
>>> > %{HTTP_SSL_CLIENT_S_DN_CN}.
>>>
>>> SSLUserName SSL_CLIENT_S_DN_CN
> Close, but no cigar:
> In fact, I do not use SSL at this distinct host
Then you might want to include that in your original question in order
to get a better answer. Your original RewriteCond statement was
checking the value of an SSL environment variable. But if you are not
using SSL on the virtual host in question, then this environment
variable will not be set and the RewriteCond will always evaluate to
"false".
> But I run a reverse
> proxy using ProxyPass which terminates the SSL at it's world device
> and then forwards a Nagios host in that case. Nagios is happy with the
> REMOTE_USER environment set for access control. I checked this setting
> REMOTE_USER using the SetEnv syntax. Unfortunately this does not take
> a variable as argument.
>
> So I set a HTTP request header (SSL_CLIENT_S_DN_CN) in the reverse
> proxy and try to copy that to REMOTE_USER. To avoid any conflicts with
> the mod_ssl I also tried to set a X-Forwarded-SSL_CLIENT_S_DN_CN and
> used that with SSLUserName: REMOTE_USER is not set.
Having the front-end server set an HTTP request header for the back-end
server is the correct solution. You would then normally configure your
web application to retrieve the user's identity from this new header
rather than from the REMOTE_USER environment variable. I don't know,
but I suspect that you may run into difficulties trying to set
REMOTE_USER yourself via Apache HTTP Server directives since the
REMOTE_USER environment variable gets set automatically based on the
r->user field of the request structure (maybe someone else who knows
more can confirm or refute whether this overwriting happens).
If you cannot configure your web application to retrieve the user's
identity from the value of the header you set, and if this is important
enough to deal with a third party module and you're willing to do
special work to get this operating right and support it in the long term
on your servers (troubleshoot issues, port the module code to Apache
HTTP Server 2.4 when needed, and so on), then take a look at
https://github.com/aimxhaisse/mod-proxy-add-user
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Setting REMOTE_USER to %{SSL:HTTP_SSL_CLIENT_S_DN_CN}
Posted by Martin Drescher <dr...@snafu.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/11/12 14:35, Mark Montague wrote:
> On November 5, 2012 6:32 , Martin Drescher <dr...@snafu.de>
> wrote:
>> I would like to set the REMOTE_USER environment to the value of
>> %{HTTP_SSL_CLIENT_S_DN_CN}. After reading the fine manual e few
>> time I think it should work with that:
>>
>> RewriteEngine On RewriteCond %{SSL:HTTP_SSL_CLIENT_S_DN_CN} (.+)
>> RewriteRule ^.*$ - [E=REMOTE_USER:$1]
>>
>> Tried some variations, but it does not :-( Could someone help me
>> out with this?
>
> Remove those mod_rewrite directives. Instead, use
>
> SSLUserName SSL_CLIENT_S_DN_CN
>
>
> See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslusername
Close, but no cigar:
In fact, I do not use SSL at this distinct host. But I run a reverse
proxy using ProxyPass which terminates the SSL at it's world device
and then forwards a Nagios host in that case. Nagios is happy with the
REMOTE_USER environment set for access control. I checked this setting
REMOTE_USER using the SetEnv syntax. Unfortunately this does not take
a variable as argument.
So I set a HTTP request header (SSL_CLIENT_S_DN_CN) in the reverse
proxy and try to copy that to REMOTE_USER. To avoid any conflicts with
the mod_ssl I also tried to set a X-Forwarded-SSL_CLIENT_S_DN_CN and
used that with SSLUserName: REMOTE_USER is not set.
Also tied FakeBasicAuth.
Martin
>
>
> -- Mark Montague mark@catseye.org--
Martin Drescher
GnuPG Key Fingerprint, KeyID '4FBE451A':
'2237 1E95 8E50 E825 9FE8 AEE1 6FF4 1E34 4FBE 451A'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCX2iQACgkQb/QeNE++RRqqtgCeJGRVAoME51UJDuYkFFHvI2ta
LwEAnj8BJz8n82f4hDT1PaeChjy8pLVL
=3Huu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Setting REMOTE_USER to %{SSL:HTTP_SSL_CLIENT_S_DN_CN}
Posted by Mark Montague <ma...@catseye.org>.
On November 5, 2012 6:32 , Martin Drescher <dr...@snafu.de> wrote:
> I would like to set the REMOTE_USER environment to the value of
> %{HTTP_SSL_CLIENT_S_DN_CN}.
> After reading the fine manual e few time I think it should work with that:
>
> RewriteEngine On
> RewriteCond %{SSL:HTTP_SSL_CLIENT_S_DN_CN} (.+)
> RewriteRule ^.*$ - [E=REMOTE_USER:$1]
>
> Tried some variations, but it does not :-(
> Could someone help me out with this?
Remove those mod_rewrite directives. Instead, use
SSLUserName SSL_CLIENT_S_DN_CN
See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslusername
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org