You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Milan Tomic <to...@yahoo.com> on 2006/08/30 15:14:45 UTC

[users@httpd] SSL: Forwarding user certificate from apache to another server

Users log into apache through SSL and I'm forwarding user cert from apache to (another) app
server. The problem is that user cert, which is sent as HTTP header param (base64 encoded), spans
several lines:

GET /LoginTest/servletheaderview HTTP/1.1
Host: duke:4444
Accept: */*
Accept-Language: sl
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR
1.1.4322)
SSL_CLIENT_CERT: -----BEGIN CERTIFICATE-----
MIIFpDCCBIygAwIBAgIEPAtSvjANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJz
aTEbMBkGA1UEChMSc3RhdGUtaW5zdGl0dXRpb25zMRIwEAYDVQQLEwlzaXRlc3Qt
*** not all lines were shown ***
KCY7/laFwZBHMdT/lpjMwt1szHXIFIS4/PcTTpjd4j6Nd2RcWX9uKwsRYUQ7kgfx
A+cpsvYdoDI=
-----END CERTIFICATE-----

Max-Forwards: 10
Via: 1.1 www.example.com
X-Forwarded-For: 10.9.72.251

Well, the actual problem is to parse SSL_CLIENT_CERT variable on iAS, Tomcat or some other server.
Is this standard HTTP 1.1 notation for headers params with multiple lines? Is Apache forwarding
right? Above shown HTTP request is sent from Apache to iAS server.

This is what I set in my ssl.conf to tell Apache to forward cert:

RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e 
ProxyPass / http://duke:4444/LoginTest/servletheaderview
ProxyPassReverse / http://duke:4444/LoginTest/servletheaderview



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] REPOST: SSL: Forwarding user certificate from apache to another server

Posted by Milan Tomic <to...@yahoo.com>.

--- Milan Tomic <to...@yahoo.com> wrote:

Users log into apache through SSL and I'm forwarding user cert from apache to (another) app
server. The problem is that user cert, which is sent as HTTP header param (base64 encoded),
spans several lines:

GET /LoginTest/servletheaderview HTTP/1.1
Host: duke:4444
Accept: */*
Accept-Language: sl
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET
CLR 1.1.4322)
SSL_CLIENT_CERT: -----BEGIN CERTIFICATE-----
MIIFpDCCBIygAwIBAgIEPAtSvjANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJz
aTEbMBkGA1UEChMSc3RhdGUtaW5zdGl0dXRpb25zMRIwEAYDVQQLEwlzaXRlc3Qt
*** not all lines were shown ***
KCY7/laFwZBHMdT/lpjMwt1szHXIFIS4/PcTTpjd4j6Nd2RcWX9uKwsRYUQ7kgfx
A+cpsvYdoDI=
-----END CERTIFICATE-----

Max-Forwards: 10
Via: 1.1 www.example.com
X-Forwarded-For: 10.9.72.251

Well, the actual problem is to parse SSL_CLIENT_CERT variable on iAS, Tomcat or some other
server. Is this standard HTTP 1.1 notation for headers params with multiple lines? Is Apache
forwarding right? Above shown HTTP request is sent from Apache to iAS server.
This is what I set in my ssl.conf to tell Apache to forward cert:

RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e 
ProxyPass / http://duke:4444/LoginTest/servletheaderview
ProxyPassReverse / http://duke:4444/LoginTest/servletheaderview

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] REPOST [users@httpd] SSL: Forwarding user certificate from apache to another server

Posted by Milan Tomic <to...@yahoo.com>.


--- Milan Tomic <to...@yahoo.com> wrote:

> 
> Users log into apache through SSL and I'm forwarding user cert from apache to (another) app
> server. The problem is that user cert, which is sent as HTTP header param (base64 encoded),
> spans
> several lines:
> 
> GET /LoginTest/servletheaderview HTTP/1.1
> Host: duke:4444
> Accept: */*
> Accept-Language: sl
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR
> 1.1.4322)
> SSL_CLIENT_CERT: -----BEGIN CERTIFICATE-----
> MIIFpDCCBIygAwIBAgIEPAtSvjANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJz
> aTEbMBkGA1UEChMSc3RhdGUtaW5zdGl0dXRpb25zMRIwEAYDVQQLEwlzaXRlc3Qt
> *** not all lines were shown ***
> KCY7/laFwZBHMdT/lpjMwt1szHXIFIS4/PcTTpjd4j6Nd2RcWX9uKwsRYUQ7kgfx
> A+cpsvYdoDI=
> -----END CERTIFICATE-----
> 
> Max-Forwards: 10
> Via: 1.1 www.example.com
> X-Forwarded-For: 10.9.72.251
> 
> Well, the actual problem is to parse SSL_CLIENT_CERT variable on iAS, Tomcat or some other
> server.
> Is this standard HTTP 1.1 notation for headers params with multiple lines? Is Apache forwarding
> right? Above shown HTTP request is sent from Apache to iAS server.
> 
> This is what I set in my ssl.conf to tell Apache to forward cert:
> 
> RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e 
> ProxyPass / http://duke:4444/LoginTest/servletheaderview
> ProxyPassReverse / http://duke:4444/LoginTest/servletheaderview
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org