httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Haroon Rafique <haroon.rafi...@utoronto.ca>
Subject [users@httpd] pass on X509 certificate to reverse-proxy backend
Date Thu, 26 Nov 2009 21:12:08 GMT
Hi there,

I am running apache 2.2.13 in a reverse-proxy configuration using 
mod_proxy. The backend is glassfish running on port 8080 on another host. 
Here's the relevant section of the config:

         ProxyRequests Off
         SetEnv force-proxy-request-1.0 1
         SetEnv proxy-nokeepalive 1
         <Proxy *>
             Order deny,allow
             Allow from all
         </Proxy>
         <Proxy balancer://glassfishcluster>
             BalancerMember http://haroonxp:8080 route=rxp1
         </Proxy>
         <Location /rxp>
             Order allow,deny
             Allow from all
         </Location>
         ProxyPass /rxp/ balancer://glassfishcluster/rxp/ stickysession=JSESSIONID
         ProxyPassReverse /rxp/ balancer://glassfishcluster/rxp/

To require the use of optional X509 client certificates, I added the 
following configuration:

         SSLVerifyClient optional
         SSLVerifyDepth 3
# initialize the special headers to a blank value to avoid http header forgeries
         RequestHeader set SSL_CLIENT_S_DN    ""
         RequestHeader set SSL_CLIENT_I_DN    ""
         RequestHeader set SSL_SERVER_S_DN_OU ""
         RequestHeader set SSL_CLIENT_VERIFY  ""
         <Location /rxp>
             Order allow,deny
             Allow from all
             SSLVerifyClient optional
             SSLVerifyDepth 3
             SSLOptions +StdEnvVars +ExportCertData
             # pass-on to proxied internal web application
             RequestHeader set SSL_CLIENT_S_DN       "%{SSL_CLIENT_S_DN}s"
             RequestHeader set SSL_CLIENT_I_DN       "%{SSL_CLIENT_I_DN}s"
             RequestHeader set SSL_SERVER_S_DN_OU    "%{SSL_SERVER_S_DN_OU}s"
             RequestHeader set SSL_CLIENT_VERIFY     "%{SSL_CLIENT_VERIFY}s"
         </Location>

Upon request /rxp, I get the prompt for "Choose a certificate to present 
as identification". (I have a eToken "smart card" with a cert inside it). 
Hitting OK or Cancel at this point takes me to the requested page (since 
client cert is optional).

For further processing, I need to give the backend glassfish server the 
ability to extract the X509 certificate from the request. Is that 
possible? Typically, on the backend you can use (e.g., java) to extract 
the certs:

X509Certificate[] certs = (X509Certificate[]) 
request.getAttribute("javax.servlet.request.X509Certificate");

The problem is that there is no cert in the request (certs is always 
null).

I know that the cert is fully functional, since when I use SSLVerifyClient 
require apache would only let me through if the correct cert was 
presented.

Thanks in advance for your response.

Some version numbers:

./httpd -v
Server version: Apache/2.2.13 (Unix)
Server built:   Sep 21 2009 14:18:04

./httpd -l
Compiled in modules:
   core.c
   prefork.c
   http_core.c
   mod_so.c

Regards,
--
Haroon Rafique
<haroon.rafique@utoronto.ca>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message