You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 2010/11/19 13:59:35 UTC
mod_ssl: inserting cert parameters into headers
Hi all,
For a while we've been relying on our load balancers to terminate SSL
for us, and place details of client certs into HTTP headers before
passing a connection backwards (through a further SSL protected
connection).
We're in a situation where we want to use httpd instead of a load
balancer for this, and I've noticed that we can't place cert
parameters into headers like the load balancer can, but are rather
limited to placing the information into the CGI environment only.
Being extensible, ideally we should have a hook which is called that
takes the SSL parameters, and then offer default implementations that
insert the information into the CGI environment, and insert the
information into the request headers, or any other possible
implementation as the admin requires it in some external module.
Most specifically, if SSLOptions +StdEnvVars is specified, the hook
gets called with the data, and an implementation writes them to the
subprocess environment, or headers_in, as appropriate (and as
configured).
Regards,
Graham
--
Re: mod_ssl: inserting cert parameters into headers
Posted by Graham Leggett <mi...@sharp.fm>.
On 19 Nov 2010, at 6:24 PM, Nick Kew wrote:
>> Most specifically, if SSLOptions +StdEnvVars is specified, the hook
>> gets called with the data, and an implementation writes them to the
>> subprocess environment, or headers_in, as appropriate (and as
>> configured).
>
> A hook? That suggests you expect further generality!
Indeed I do, yes.
> Why not just an alternative SSLOption to set headers_in in
> place of subprocess_env?
Because as soon as you have two different ways of doing something, you
than need to ask yourself "but what if I want to do it a third way, or
a fourth way, or maybe some custom way unique to my application", and
you then come to the conclusion "why not provide a hook, so the admin
can configure it any way he wants, and it stops being httpd's problem
at all".
To explain more of where I am coming from.
We have ZXTM load balancers, which front various httpds that do
various things. We have client certificate protected connections to
the load balancers, which terminate the SSL, then establish a new
connection pool to the backend httpds (also SSL, but with different
certs).
In order to expose details of the original client certificate, ZXTM
injects many headers into the request, just as we inject CGI variables
into the subprocess environment. Applications behind in turn pick up
DNs and other details from these headers. The headers are ZXTM specific.
For various reasons we don't want to use ZXTMs for everything, and so
some httpds terminate the SSL themselves, however we face a problem:
no clean ZXTM compatible capability exists to expose the headers to
the backend.
Our first prize would be to develop for ourselves a
mod_ssl_zxtm_compat module, that when turned on would just send ZXTM
compatible headers, but we lack the hook to hook into.
Sure, we can try and kludge it, by trying to pick up and rewriting the
CGI variables, and then worrying that our module runs after the
mod_ssl module, or we can simply add twenty RequestHeader statements
next to each ProxyPass, but both of these scream "kludge", and
"kludge" is what we're trying to move away from.
Regards,
Graham
--
Re: mod_ssl: inserting cert parameters into headers
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 19 Nov 2010 14:59:35 +0200
Graham Leggett <mi...@sharp.fm> wrote:
> Most specifically, if SSLOptions +StdEnvVars is specified, the hook
> gets called with the data, and an implementation writes them to the
> subprocess environment, or headers_in, as appropriate (and as
> configured).
A hook? That suggests you expect further generality!
Why not just an alternative SSLOption to set headers_in in
place of subprocess_env?
--
Nick Kew
Re: mod_ssl: inserting cert parameters into headers
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Nov 19, 2010 at 05:17:06PM +0200, Graham Leggett wrote:
> On 19 Nov 2010, at 3:19 PM, Plüm, Rüdiger, VF-Group wrote:
>
> >Does
> >
> >RequestHeader add some_header %{SSL_ENVIRONMENT_VARIABLE}s
> >
> >not work for you?
>
> It could, but it isn't very clean at all. You are adding a KV pair
> to one table, then manually copying it into another table.
>
> If a hook existed to do this, a module might do anything anyone
> wanted to.
Is the concern about copying the bytes? Not sure I follow this either.
A fixup hook ordered to run later than ssl_hook_Fixup will always have
access to the SSL_* vars if +StdEnvVars is configured; such a hook can
avoid copying from bytes from r->subprocess_env if it wants, I suppose.
Or are you worried that's not really a concrete API on which you can
depend?
Generally it is better to *avoid* using +StdEnvVars because it forces
generation of all the variables (slow and expensive), and use
ssl_var_lookup to generate only those variables you really need.
Regards, Joe
Re: mod_ssl: inserting cert parameters into headers
Posted by Graham Leggett <mi...@sharp.fm>.
On 19 Nov 2010, at 3:19 PM, Plüm, Rüdiger, VF-Group wrote:
> Does
>
> RequestHeader add some_header %{SSL_ENVIRONMENT_VARIABLE}s
>
> not work for you?
It could, but it isn't very clean at all. You are adding a KV pair to
one table, then manually copying it into another table.
If a hook existed to do this, a module might do anything anyone wanted
to.
Regards,
Graham
--
RE: mod_ssl: inserting cert parameters into headers
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
> -----Original Message-----
> From: Graham Leggett
> Sent: Freitag, 19. November 2010 14:00
> To: dev@httpd.apache.org
> Subject: mod_ssl: inserting cert parameters into headers
>
> Hi all,
>
> For a while we've been relying on our load balancers to
> terminate SSL
> for us, and place details of client certs into HTTP headers before
> passing a connection backwards (through a further SSL protected
> connection).
>
> We're in a situation where we want to use httpd instead of a load
> balancer for this, and I've noticed that we can't place cert
> parameters into headers like the load balancer can, but are rather
> limited to placing the information into the CGI environment only.
>
> Being extensible, ideally we should have a hook which is called that
> takes the SSL parameters, and then offer default
> implementations that
> insert the information into the CGI environment, and insert the
> information into the request headers, or any other possible
> implementation as the admin requires it in some external module.
>
> Most specifically, if SSLOptions +StdEnvVars is specified, the hook
> gets called with the data, and an implementation writes them to the
> subprocess environment, or headers_in, as appropriate (and as
> configured).
Does
RequestHeader add some_header %{SSL_ENVIRONMENT_VARIABLE}s
not work for you?
Regards
Rüdiger