Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 17790 invoked from network); 22 Sep 2009 11:44:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 22 Sep 2009 11:44:12 -0000 Received: (qmail 2238 invoked by uid 500); 22 Sep 2009 11:44:09 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 2228 invoked by uid 500); 22 Sep 2009 11:44:09 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 2219 invoked by uid 99); 22 Sep 2009 11:44:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Sep 2009 11:44:09 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of david@twocats.co.uk designates 62.49.19.167 as permitted sender) Received: from [62.49.19.167] (HELO home.twocats.co.uk) (62.49.19.167) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Sep 2009 11:44:00 +0000 Received: from pepper.home.twocats.co.uk (mail.ratedpeople.com [62.133.4.89]) by twocats.co.uk (Postfix) with ESMTPSA id 3C0C475 for ; Tue, 22 Sep 2009 12:43:38 +0100 (BST) Message-ID: <4AB8B869.7050705@twocats.co.uk> Date: Tue, 22 Sep 2009 12:43:37 +0100 From: David Cassidy User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1) Gecko/20090814 Fedora/3.0-2.6.b3.fc11 Thunderbird/3.0b3 MIME-Version: 1.0 To: users@httpd.apache.org References: <20090912173945.9RS2D.146055.imail@eastrmwml48> In-Reply-To: <20090912173945.9RS2D.146055.imail@eastrmwml48> Content-Type: multipart/alternative; boundary="------------000600040702030704010507" X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Problem with Apache 2.2.13 and "SSLOptions +FakeBasicAuth" --------------000600040702030704010507 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Jim is there any reason that you're not using the weblogic module ? wl_proxy i think ? i think that it might be more useful than just using apache as a reverse proxy. wl_proxy tells apache which boxes in your cluster are alive and ready to do work for example. David On 12/09/09 22:39, ohaya@cox.net wrote: > Hi, > > We are using Apache as a reverse-proxy in front of a WebLogic server. > > In our older configuration, using Apache 2.0.5x, when we enable client-authenticated SSL, and uncomment the following line in ssl.conf: > > SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire > > we get the "Authorization" HTTP header, containing the BASE64-encoded certificate subject string (actually,:password, BASE64-encoded). > > We are now moving to Apache 2.2.x, and I'm testing a configuration on Windows, and it looks like, when we uncomment the SSLOptions line in extra/httpd-ssl.conf, the "Authorization" HTTP header is no longer being sent by Apache to WebLogic. > > I also tried changing the SSLOptions directive to just: > > SSLOptions +FakeBasicAuth > > and I still don't see the "Authorization" header. > > According to the docs: > > "FakeBasicAuth > When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user. Every entry in the user file needs this password: ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the word `password''. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''." > > Does anyone know why I might not be getting the "Authorization" HTTP header, or, more importantly, how I can get that working again? > > Thanks, > Jim > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --------------000600040702030704010507 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Jim

is there any reason that you're not using the weblogic module ? wl_proxy i think ?

i think that it might be more useful than just using apache as a reverse proxy.
wl_proxy tells apache which boxes in your cluster are alive and ready to do work for example.

David

On 12/09/09 22:39, ohaya@cox.net wrote: 
Hi,

We are using Apache as a reverse-proxy in front of a WebLogic server.

In our older configuration, using Apache 2.0.5x, when we enable client-authenticated SSL, and uncomment the following line in ssl.conf:

SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

we get the "Authorization" HTTP header, containing the BASE64-encoded certificate subject string (actually, <cert subject string>:password, BASE64-encoded).

We are now moving to Apache 2.2.x, and I'm testing a configuration on Windows, and it looks like, when we uncomment the SSLOptions line in extra/httpd-ssl.conf, the "Authorization" HTTP header is no longer being sent by Apache to WebLogic.

I also tried changing the SSLOptions directive to just:

SSLOptions +FakeBasicAuth

and I still don't see the "Authorization" header.

According to the docs:

"FakeBasicAuth 
When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user. Every entry in the user file needs this password: ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the word `password''. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''."

Does anyone know why I might not be getting the "Authorization" HTTP header, or, more importantly, how I can get that working again?

Thanks,
Jim



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
--------------000600040702030704010507--