httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Date Wed, 22 Nov 2006 19:37:04 GMT
What is the backend serverf? If it's Tomcat or JBoss I'd suggest to
use AJP connector that allows to pass client certificates to backend.

On 11/22/06, Lucuk, Pete <pete.lucuk@ngc.com> wrote:
> Hello,
>
> I currently have a HTTPS reverse proxy setup and it works like a champ!
>
> I am trying to pass the client cert from the reverse proxy to the
> backend server in the headers like so...
>
> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
> RewriteRule .* - [E=SSLCC:%1]
> RequestHeader add X-SSL-Client-Cert %{SSLCC}e
> RewriteRule ^/https(.*)$ https://kftcsu09.ftc.lab:6443/$1 [P,L]
>
> Problem is, on the backend server that receives the request with client
> cert. in the headers it looks like this...
>
> XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
> [21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>
> I only get the FIRST line of the client certificate...
>
> -----BEGIN CERTIFICATE-----
>
> And NOT the whole thing like...
>
> -----BEGIN CERTIFICATE-----
> MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
> Stuff, stuff, stuff,
> CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
> -----END CERTIFICATE-----
>
>
> I am assuming that the newlines in the client certificate on the reverse
> proxy are hosing up sending the WHOLE client certificate.
>
> How do I fix this problem?
>
> Do I try to take out the new lines in rewrite somehow?, how do I do
> that, I have no clue.
>
> Do I try to do something else? What and how?
>
> I have searched and could not find anything.
>
> Thanks much for you help, I appreciate it.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message