perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy Gallagher <timothy.gallag...@nuspire.com>
Subject Question on how execution order of Mod_Persl
Date Wed, 06 Feb 2013 16:56:45 GMT
Hello all,
I have a question for you that I am needed some help/guidance on.  I am not sure if this is
a question for Apache, perl or mod_perl, I believe this is the correct place to ask.  I am
building a reverse proxy server that authenticates a user via the client SSL certificate that
is presented to Apache.

When a person connects to https:// alpha.dev.home.com/ssl, they are requested to present a
client SSL cert to the server.  Using Mod_Perl, I then get the client certificate information
and do some internal processing to verify the user. If the user is good, I want to then continue
the request by acting as a reverse proxy servers for internal apache servers.

I have all these processes working except not in the correct order.  Here is the order that
the items are happening.
A user will connect to https:// alpha.dev.home.com/ssl. The user is presented with a request
for a client certificate.  When the user presents the certificate, they are then allowed access
to the backend (private apache web server). At the same time, mod_perl is processing their
client SSL certificate.

Am I able to have the dictate the order of how a request in apache with mod_perl I processed
meaning

1.       Request comes in

2.       Customer needs to present a client SSL certificate

3.       Mod_perl takes the client certificate information and processes the information for
authentication

4.       Depending the outcome of the authentication process, allow the session to continue
or drop the connection.

Here is the code that I am using for testing
-----[Begin Apache Config]-----
<VirtualHost alpha.dev.home.com>
                # Get the required enviorment
                PerlRequire /opt/perlEngine/startup.pl
                # SSL Requirements
                SSLEngine on
                SSLProtocol +SSLv3 +TLSv1
                SSLCertificateFile /opt/certs/server/alpha@danati.home.com-cert.pem
                SSLCertificateKeyFile /opt/certs/server/alpha@danati.home.com-key.pem
                SSLCACertificateFile /opt/certs/ca/BlackSands-Refereence-CA-cacert.pem
                SSLVerifyClient require
                SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth

                <Location /ssl>
                                SetHandler perl-script
                                PerlResponseHandler MyTest::SSLAuth
                                ProxyRequests off
                                ProxyPass /ssl http://10.10.10.100
                                ProxyPassReverse /ssl http://10.10.10.100
                </Location>
</VirtualHost>
-----[End Apache Config]-----


-----[Begin MyTest::SSLAuth ]-----

package MyTest::SSLAuth;
#use Apache2::ModSSL;
use Apache2::RequestRec ();
use Apache2::RequestIO ();
use Digest::SHA qw(sha256_hex);
use Apache2::Const -compile => qw(OK);
use Data::Dumper;

sub handler {
                my $r = shift;
                $r->content_type('text/plain');
                my $c=$r->connection;
                my $cert = $r->subprocess_env('SSL_CLIENT_CERT');
                my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL');
                my $dn = $r->subprocess_env('SSL_CLIENT_S_DN');
                my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG');
                if($sig != 89765479){
                                ....DoSomthing ......
                }
                return Apache::OK;
}
1;
-----[End MyTest::SSLAuth ]-----


Thank you,
Tim

Timothy F. Gallagher
Senior SAT Engineer
Nuspire Corporation
www.nuspire.com<http://www.nuspire.com>
[cid:image001.jpg@01CD97DA.7C4258C0]<http://nuspire.com/>


Mime
View raw message