httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Drescher <dresc...@snafu.de>
Subject Re: [users@httpd] Setting REMOTE_USER to %{SSL:HTTP_SSL_CLIENT_S_DN_CN}
Date Mon, 05 Nov 2012 15:24:25 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/11/12 14:35, Mark Montague wrote:
> On November 5, 2012 6:32 , Martin Drescher <drescher@snafu.de>
> wrote:
>> I would like to set the REMOTE_USER environment to the value of 
>> %{HTTP_SSL_CLIENT_S_DN_CN}. After reading the fine manual e few
>> time I think it should work with that:
>> 
>> RewriteEngine On RewriteCond %{SSL:HTTP_SSL_CLIENT_S_DN_CN} (.+) 
>> RewriteRule ^.*$ - [E=REMOTE_USER:$1]
>> 
>> Tried some variations, but it does not :-( Could someone help me
>> out with this?
> 
> Remove those mod_rewrite directives.  Instead, use
> 
> SSLUserName SSL_CLIENT_S_DN_CN
> 
> 
> See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslusername

Close, but no cigar:
In fact, I do not use SSL at this distinct host. But I run a reverse
proxy using ProxyPass which terminates the SSL at it's world device
and then forwards a Nagios host in that case. Nagios is happy with the
REMOTE_USER environment set for access control. I checked this setting
REMOTE_USER using the SetEnv syntax. Unfortunately this does not take
a variable as argument.

So I set a HTTP request header (SSL_CLIENT_S_DN_CN) in the reverse
proxy and try to copy that to REMOTE_USER. To avoid any conflicts with
the mod_ssl I also tried to set a X-Forwarded-SSL_CLIENT_S_DN_CN and
used that with SSLUserName: REMOTE_USER is not set.

Also tied FakeBasicAuth.

Martin

> 
> 
> -- Mark Montague mark@catseye.org--
 Martin Drescher
 GnuPG Key Fingerprint, KeyID '4FBE451A':
 '2237 1E95 8E50 E825 9FE8  AEE1 6FF4 1E34 4FBE 451A'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCX2iQACgkQb/QeNE++RRqqtgCeJGRVAoME51UJDuYkFFHvI2ta
LwEAnj8BJz8n82f4hDT1PaeChjy8pLVL
=3Huu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message