httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lucuk, Pete" <pete.lu...@ngc.com>
Subject RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Date Mon, 27 Nov 2006 17:00:14 GMT
Tried doing it via the query string, and not the headers like this...

RewriteMap escape int:escape
 
RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:%1]

RewriteRule ^/https(.*)$
https://kftcsu09.ftc.lab:6443$1?CLIENT_CERT=${escape:%{ENV:SSLCC}}
[QSA,P] 

And got this...

10.0.0.114 - - [27/Nov/2006:11:52:07 -0500] "GET
/?CLIENT_CERT=-----BEGIN%20CERTIFICATE----- HTTP/1.1" 200 4855 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)"


So, it does not appear that the whole client cert gets passed as a query
string either.

Do I even have the whole client certificate te begin with at the reverse
proxy server?

I am really trying NOT to use AJP module for multiple reasons, BUT am I
getting to a point where it is my only option to sucessfully proxy the
whole client certificate to the jboss server behind the proxy server?




>-----Original Message-----
>From: Lucuk, Pete [mailto:pete.lucuk@ngc.com] 
>Sent: Monday, November 27, 2006 11:26 AM
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT 
>in reverse proxy?
>
>
>This...
>
>     RewriteMap escape int:escape
> 
>     RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
>     RewriteRule .* - [E=SSLCC:${escape:{%1}}]
>     RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>
>     RewriteRule ^/https(.*)$
>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>tHeaderEx
>ample$1 [P,L] 
>
>Gets me this...
>
>user-agent  Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
>SV1; .NET CLR 1.1.4322) x-ssl-client-on  SUCCESS 
>x-ssl-client-name  Doug S. Barnhart x-ssl-client-cert  
>%7b-----BEGIN%20CERTIFICATE-----%7d
>max-forwards  10  
>x-forwarded-for  10.0.1.55   
>
>And this...
>
>
>     RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
>     RewriteRule .* - [E=SSLCC:%1]
>     RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>
>     RewriteRule ^/https(.*)$
>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>tHeaderEx
>ample$1 [P,L] 
>
>Gets me this...
>
>user-agent  Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
>SV1; .NET CLR 1.1.4322) x-ssl-client-on  SUCCESS 
>x-ssl-client-name  Doug S. Barnhart x-ssl-client-cert  
>-----BEGIN CERTIFICATE----- max-forwards  10 x-forwarded-for  10.0.1.55
>
>
>It appears that I am still not getting the whole ssl client 
>cert even after the escape...
>
>
>	RewriteRule .* - [E=SSLCC:${escape:{%1}}]
>	
>	x-ssl-client-cert  %7b-----BEGIN%20CERTIFICATE-----%7d
>
>
>Am I doing something wrong on the escape?
>
>Bottom line, I am trying to get that whole client pem 
>certificate to be pushed across in the header with no luck.
>
>
>>-----Original Message-----
>>From: Lucuk, Pete [mailto:pete.lucuk@ngc.com]
>>Sent: Monday, November 27, 2006 10:04 AM
>>To: users@httpd.apache.org
>>Subject: RE: [users@httpd] How to send WHOLE SSL_CLIENT_CERT 
>in reverse 
>>proxy?
>>
>>Where would I put the Rewrite escape function in the stuff below?  I 
>>tried a couple different things and could not get it to work.  Thank 
>>you for your help, I appreciate it
>>
>>
>>RewriteCond %{SSL:SSL_CLIENT_CERT} (.*) RewriteRule .* - [E=SSLCC:%1] 
>>RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>>
>>RewriteRule ^/https(.*)$
>>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>>tHeaderEx
>>ample$1 [P,L]
>>
>>
>>>-----Original Message-----
>>>From: Max Dittrich [mailto:max.dittrich@t-online.de]
>>>Sent: Thursday, November 23, 2006 8:37 PM
>>>To: users@httpd.apache.org
>>>Subject: Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT
>>in reverse
>>>proxy?
>>>
>>>Lucuk, Pete schrieb:
>>>> The backend server is a 3.x version of Jboss that uses 
>Jetty as the 
>>>> Servlet engine.
>>>> Can you use AJP with Jetty?
>>>> 
>>>> If not, is there some simple way to yank out the new lines in 
>>>> SSL_CLIENT_CERT on the reverse proxy?
>>>
>>>I just looked up the Apache Docs, because I remembered those 
>internal 
>>>RewriteMaps. Maybe there's a chance using the internal RewriteMap 
>>>'escape' to encode special characters like "\n".
>>>
>>>Limitations on the accepted length of headers (2048) may break this 
>>>solution.
>>>
>>>hf,
>>>.max
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server 
>>>Project.
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server 
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message