httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Stern" <sternm...@hotmail.com>
Subject Re: SSL_CLIENT_S_DN and proxy
Date Tue, 18 May 2004 05:12:53 GMT
Thanks Madhu,
I will definitively try this.

I normally use 2.0.49.
As I need to have something to go in a production environment, I suppose
it's a bit early to try 2.1.

If I understood correctly, with that patch I will be able to use
   Header  SSL_REMOTE_CLIENT_S_DN  %{SSL_CLIENT_S_DN}e
The back-end server (as apache is used here as a proxy) will then receive
the header "SSL_REMOTE_CLIENT_S_DN".
This should work even if I use SSL between the proxy and the back-end
server - in this case, the back-end will receive the proxy DN in the header
"SSL_CLIENT_S_DN".

Marc

----- Original Message ----- 
From: "Mathihalli, Madhusudan" <madhum@hp.com>
To: <dev@httpd.apache.org>
Sent: Friday, May 14, 2004 6:20 PM
Subject: RE: SSL_CLIENT_S_DN and proxy


Hi Marc,
If you're using httpd-2.1, did you already try something like
below ?

-Madhu


Index: mod_headers.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/metadata/mod_headers.c,v
retrieving revision 1.59
diff -u -r1.59 mod_headers.c
--- mod_headers.c       18 Apr 2004 20:26:07 -0000      1.59
+++ mod_headers.c       14 May 2004 16:19:44 -0000
@@ -138,6 +138,7 @@

 /* Pointer to ssl_var_lookup, if available. */
 static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *header_ssl_lookup = NULL;
+static const char *header_request_ssl_var(request_rec *r, char *name);

 /*
  * Tag formatting functions
@@ -176,6 +177,10 @@
 static const char *header_request_env_var(request_rec *r, char *a)
 {
     const char *s = apr_table_get(r->subprocess_env,a);
+
+    if (s == NULL) {
+        s = header_request_ssl_var(r, a);
+    }

     if (s)
         return unwrap_header(r->pool, s);

>-----Original Message-----
>From: Marc Stern [mailto:sternmarc@hotmail.com]
>Sent: Wednesday, May 12, 2004 11:35 PM
>To: dev@httpd.apache.org
>Subject: Re: SSL_CLIENT_S_DN and proxy
>
>
>>From what I understand - and it seems confirmed by the test I
>made - the header is modified (created) before Apache
>populates the value. I tried with the header HTTP_HOST
>"RequestHeader set X-HOST %{HTTP_HOST}e)", and the header is
>created, but empty.
>
>Is the same feature available, but at the end of the treatment ?
>
>Marc
>
>----- Original Message ----- 
>From: "Joe Orton" <jorton@redhat.com>
>To: <dev@httpd.apache.org>
>Sent: Wednesday, May 12, 2004 3:27 PM
>Subject: Re: SSL_CLIENT_S_DN and proxy
>
>
>> On Wed, May 12, 2004 at 01:09:03PM +0200, Marc Stern wrote:
>> > When using Apache as a proxy:
>> >   ( brower  --https-->  Apache + mod_proxy  --https-->
>Web server )
>> > the Web server never receives the user's certificate info, because
>> > only
>the
>> > proxy is seen by the Web server. That means that all headers
>SSL_CLIENT_*
>> > contain the proxy certificate info, not the user certificate info.
>> >
>> > Is there a way to get the user's certificate info ?
>>
>> On the proxy use, e.g.:
>>
>> SSLOptions +StdEnvVars
>> RequestHeader set X-Foo %{SSL_CLIENT_S_DN}e
>>
>> and the client DN is passed through to the backend in the X-Foo
>> header.
>>
>> joe
>>
>

Mime
View raw message