httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: [users@httpd] Possible to add edited version of SSL_CLIENT_CERT variable to request header?
Date Sat, 07 Apr 2012 16:33:32 GMT
Hi,

I noticed from the archives that there was response/question from"Bobb, Kirth Andre " that
i missed:

"Igor,
Just out of curiosity. Are you using other .pem files in other <location> blocks?"

I'm assuming that that question was actually for me (the OP)...

In answer to that: No, I don't have any PEM files in any other <:Location> blocks. 



Also, I wanted to give some more background for why I'm trying to do this:

WebLogic comes with its own connector/Apache module for connecting from Apache-to-WebLogic
backend.  Its' called the "WebLogic Plugin for Apache".  That plugin, when configured correctly
sends an additional header to the WebLogic server, "WL-Proxy-Client-Cert", with JUST the PEM
as one big string, with no new lines and the "BEGIN" and "END" strings removed.

We normally use that plugin, but have encountered a problem where when we use that for proxying
certain URLs, we get really long response times (>10 seconds).  In some cases, not involving
proxying 2-way SSL, when I switched from using the WebLogic Plugin to mod_proxy, those long
response times goes away, so I was hoping that if I could use mod_proxy in this (2-way) SSL
case, to WebLogic, we could eliminate those long response times.

However, in this case now, I am.trying to proxy 2-way SSL (at the 'front' of the Apache, so
when I try to use mod_proxy instead of the WL Plugin, I have to try to "simulate" the headers
that the WL Plugin would normally send to the WebLogic server, and in particular. that "WL-Proxy-Client-Cert"
header, containing only the actual PEM string.

So, anyway, that is WHY I'm trying to do this.

Thanks,
Jim






---- ohaya@cox.net wrote: 
> Igor,
> 
> The backend (Weblogic) won't accept/parse it.  I am sure, because in one test I did,
I had a RequestHeader with a canned PEM string, without them, and that worked.
> 
> Jim
> 
> 
> ---- Igor Cicimov <icicimov@gmail.com> wrote: 
> > Those lines are part of the PEM certificate without them the cert is not
> > valid. What is the problem on the backend side with this?
> > 
> > 
> > On Thu, Apr 5, 2012 at 8:27 AM, <ohaya@cox.net> wrote:
> > 
> > > Hi,
> > >
> > > I am using Apache (2.2.x) as a proxy.  The Apache is enabled for
> > > 2-way/client-authenticated SSL.
> > >
> > > In one situation (in a specific <Location> section), I need to be able
to
> > > pass the PEM of the client certificate to the proxied server, with a
> > > specific HTTP header name.
> > >
> > > I've actually been able to pass the raw PEM as an HTTP header using just
> > > the RequestHeader directive:
> > >
> > > RequestHeader    set   "my_ssl_client_cert"    "%{SSL_CLIENT_CERT}e"
> > >
> > > But, that raw PEM has the "-----BEGIN CERTIFICATE-----" and "-----END
> > > CERTIFICATE-----" strings before and after the actual certificate PEM.
> > >
> > > I've been trying to figure out how to get just the certificate PEM into
> > > the HTTP header for awhile, mostly using SetEnvIfNoCase, but when I try
> > > that, I always end  up with an empty string or null in the header.
> > >
> > > Given that I seem to be able to get the PEM from the SSL_CLIENT_CERT
> > > envvar, it seems like there SHOULD be a way to get that into a request
> > > header, but I haven't been able to do that yet, and am truly stumped, so I
> > > was hoping that someone here might know how to do that?
> > >
> > > Thanks in advance,
> > > Jim
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message