httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Cassidy <da...@twocats.co.uk>
Subject Re: [users@httpd] Problem with Apache 2.2.13 and "SSLOptions +FakeBasicAuth"
Date Tue, 22 Sep 2009 11:43:37 GMT
Jim

is there any reason that you're not using the weblogic module ? wl_proxy 
i think ?

i think that it might be more useful than just using apache as a reverse 
proxy.
wl_proxy tells apache which boxes in your cluster are alive and ready to 
do work for example.

David

On 12/09/09 22:39, ohaya@cox.net wrote:
> Hi,
>
> We are using Apache as a reverse-proxy in front of a WebLogic server.
>
> In our older configuration, using Apache 2.0.5x, when we enable client-authenticated
SSL, and uncomment the following line in ssl.conf:
>
> SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> we get the "Authorization" HTTP header, containing the BASE64-encoded certificate subject
string (actually,<cert subject string>:password, BASE64-encoded).
>
> We are now moving to Apache 2.2.x, and I'm testing a configuration on Windows, and it
looks like, when we uncomment the SSLOptions line in extra/httpd-ssl.conf, the "Authorization"
HTTP header is no longer being sent by Apache to WebLogic.
>
> I also tried changing the SSLOptions directive to just:
>
> SSLOptions +FakeBasicAuth
>
> and I still don't see the "Authorization" header.
>
> According to the docs:
>
> "FakeBasicAuth
> When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate
is translated into a HTTP Basic Authorization username. This means that the standard Apache
authentication methods can be used for access control. The user name is just the Subject of
the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command:
openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from
the user. Every entry in the user file needs this password: ``xxj31ZMTZzkVA'', which is the
DES-encrypted version of the word `password''. Those who live under MD5-based encryption (for
instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word:
``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''."
>
> Does anyone know why I might not be getting the "Authorization" HTTP header, or, more
importantly, how I can get that working again?
>
> Thanks,
> Jim
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>    

Mime
View raw message