Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 45735 invoked from network); 30 Dec 2006 15:33:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Dec 2006 15:33:07 -0000 Received: (qmail 93604 invoked by uid 500); 30 Dec 2006 15:33:03 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 93588 invoked by uid 500); 30 Dec 2006 15:33:03 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 93577 invoked by uid 99); 30 Dec 2006 15:33:03 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Dec 2006 07:33:03 -0800 X-ASF-Spam-Status: No, hits=0.3 required=10.0 tests=MAILTO_TO_SPAM_ADDR,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of sergeyfd@gmail.com designates 64.233.166.180 as permitted sender) Received: from [64.233.166.180] (HELO py-out-1112.google.com) (64.233.166.180) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Dec 2006 07:32:53 -0800 Received: by py-out-1112.google.com with SMTP id u77so2649937pyb for ; Sat, 30 Dec 2006 07:32:32 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JBXlPG50QA880mvAHRDwTnoLlJ2hWq/ElrsqDRndrxt4gcHCSCKvTxIQXcykrmVfihzHbnIGKEg2OJPetWk4toHx9pOcRW8XpfC0tOPZd+xKRGeW2FUrm7ThxLc1O4Al4Y7XE0YGsw5+lpklHnzk7aFgjyfjBmTVlySN7/YCVr8= Received: by 10.35.121.9 with SMTP id y9mr32084440pym.1167492752533; Sat, 30 Dec 2006 07:32:32 -0800 (PST) Received: by 10.35.111.6 with HTTP; Sat, 30 Dec 2006 07:32:32 -0800 (PST) Message-ID: <868cbbaa0612300732r7742d684kac8a80078eda1794@mail.gmail.com> Date: Sat, 30 Dec 2006 08:32:32 -0700 From: "Serge Dubrouski" To: users@httpd.apache.org In-Reply-To: <53cb81ac0612292345m430f0c44ue106afc5ad42fb7e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <45939430.9080006@llbc.de> <868cbbaa0612290757ja225c40u723a78ff968fb0e6@mail.gmail.com> <53cb81ac0612292345m430f0c44ue106afc5ad42fb7e@mail.gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Apache and client certs On 12/30/06, toadie D wrote: > It is possible to use reverse proxy to pass a PEM Encoded Certificate as a > HTTP header to a backend server. > > Make sure you have this directive in your config file > > SSLOptions +ExportCertData > > Then use mod_headers to set the header > > RequestHeader MY_CLIENT_CERT %{SSL_CLIENT_CERT}s > > > You can find more info here > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html and > here http://httpd.apache.org/docs/2.2/mod/mod_headers.html > > One caveat, depending on which version of apache you use (2.0.x or 2.2.x), > the PEM encoded Certificate may across a bit strange (ie. not conforming to > multiline HTTP header). And not recognizable by backend application. > So you may see your header looking like this > > MY_CLIENT_CERT: ----- BEGIN CERTIFICATE -----[blanks no CRLF] [First line of > base64 encoded data] [ blanks no CRLF ] [Second line of base64 encoded data] > ..... ---- END CERTIFICATE ----- > > > > > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org