perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Question on how execution order of Mod_Persl
Date Wed, 06 Feb 2013 17:41:37 GMT
Timothy Gallagher wrote:
> Hello all,
> I have a question for you that I am needed some help/guidance on.  I am not sure if this
is a question for Apache, perl or mod_perl, I believe this is the correct place to ask.  I
am building a reverse proxy server that authenticates a user via the client SSL certificate
that is presented to Apache.
> 
> When a person connects to https:// alpha.dev.home.com/ssl, they are requested to present
a client SSL cert to the server.  Using Mod_Perl, I then get the client certificate information
and do some internal processing to verify the user. If the user is good, I want to then continue
the request by acting as a reverse proxy servers for internal apache servers.
> 
> I have all these processes working except not in the correct order.  Here is the order
that the items are happening.
> A user will connect to https:// alpha.dev.home.com/ssl. The user is presented with a
request for a client certificate.  When the user presents the certificate, they are then allowed
access to the backend (private apache web server). At the same time, mod_perl is processing
their client SSL certificate.
> 
> Am I able to have the dictate the order of how a request in apache with mod_perl I processed
meaning
> 
> 1.       Request comes in
> 
> 2.       Customer needs to present a client SSL certificate
> 
> 3.       Mod_perl takes the client certificate information and processes the information
for authentication
> 
> 4.       Depending the outcome of the authentication process, allow the session to continue
or drop the connection.
> 
> Here is the code that I am using for testing
> -----[Begin Apache Config]-----
> <VirtualHost alpha.dev.home.com>
>                 # Get the required enviorment
>                 PerlRequire /opt/perlEngine/startup.pl
>                 # SSL Requirements
>                 SSLEngine on
>                 SSLProtocol +SSLv3 +TLSv1
>                 SSLCertificateFile /opt/certs/server/alpha@danati.home.com-cert.pem
>                 SSLCertificateKeyFile /opt/certs/server/alpha@danati.home.com-key.pem
>                 SSLCACertificateFile /opt/certs/ca/BlackSands-Refereence-CA-cacert.pem
>                 SSLVerifyClient require
>                 SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
> 
>                 <Location /ssl>
>                                 SetHandler perl-script
>                                 PerlResponseHandler MyTest::SSLAuth
>                                 ProxyRequests off
>                                 ProxyPass /ssl http://10.10.10.100
>                                 ProxyPassReverse /ssl http://10.10.10.100
>                 </Location>
> </VirtualHost>
> -----[End Apache Config]-----
> 
> 
> -----[Begin MyTest::SSLAuth ]-----
> 
> package MyTest::SSLAuth;
> #use Apache2::ModSSL;
> use Apache2::RequestRec ();
> use Apache2::RequestIO ();
> use Digest::SHA qw(sha256_hex);
> use Apache2::Const -compile => qw(OK);
> use Data::Dumper;
> 
> sub handler {
>                 my $r = shift;
>                 $r->content_type('text/plain');
>                 my $c=$r->connection;
>                 my $cert = $r->subprocess_env('SSL_CLIENT_CERT');
>                 my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL');
>                 my $dn = $r->subprocess_env('SSL_CLIENT_S_DN');
>                 my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG');
>                 if($sig != 89765479){
>                                 ....DoSomthing ......
>                 }
>                 return Apache::OK;
> }
> 1;
> -----[End MyTest::SSLAuth ]-----
> 
> 
Hi.
I believe that you may have the same kind of issue that I was having back in December 2012.
Check the archives of this list, for a thread entitled "setHandler question".
Doing authentication and then proxying is a bit tricky.
The good news is that it works in the end, so your scheme is possible.

Mime
View raw message