perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Timothy Gallagher <>
Subject RE: Question on how execution order of Mod_Persl
Date Thu, 14 Feb 2013 15:48:01 GMT
Thank you for the response, I was able to find the messages to help me find what I was looking
for. I appreciate the help.

Thank you,

Timothy F. Gallagher
Senior SAT Engineer
Nuspire Corporation

-----Original Message-----
From: André Warnier [] 
Sent: Wednesday, February 06, 2013 12:42 PM
To: mod_perl list
Subject: Re: Question on how execution order of Mod_Persl

Timothy Gallagher wrote:
> Hello all,
> I have a question for you that I am needed some help/guidance on.  I am not sure if this
is a question for Apache, perl or mod_perl, I believe this is the correct place to ask.  I
am building a reverse proxy server that authenticates a user via the client SSL certificate
that is presented to Apache.
> When a person connects to https://, they are requested to present
a client SSL cert to the server.  Using Mod_Perl, I then get the client certificate information
and do some internal processing to verify the user. If the user is good, I want to then continue
the request by acting as a reverse proxy servers for internal apache servers.
> I have all these processes working except not in the correct order.  Here is the order
that the items are happening.
> A user will connect to https:// The user is presented with a
request for a client certificate.  When the user presents the certificate, they are then allowed
access to the backend (private apache web server). At the same time, mod_perl is processing
their client SSL certificate.
> Am I able to have the dictate the order of how a request in apache with mod_perl I processed
> 1.       Request comes in
> 2.       Customer needs to present a client SSL certificate
> 3.       Mod_perl takes the client certificate information and processes the information
for authentication
> 4.       Depending the outcome of the authentication process, allow the session to continue
or drop the connection.
> Here is the code that I am using for testing
> -----[Begin Apache Config]-----
> <VirtualHost>
>                 # Get the required enviorment
>                 PerlRequire /opt/perlEngine/
>                 # SSL Requirements
>                 SSLEngine on
>                 SSLProtocol +SSLv3 +TLSv1
>                 SSLCertificateFile /opt/certs/server/
>                 SSLCertificateKeyFile /opt/certs/server/
>                 SSLCACertificateFile /opt/certs/ca/BlackSands-Refereence-CA-cacert.pem
>                 SSLVerifyClient require
>                 SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
>                 <Location /ssl>
>                                 SetHandler perl-script
>                                 PerlResponseHandler MyTest::SSLAuth
>                                 ProxyRequests off
>                                 ProxyPass /ssl
>                                 ProxyPassReverse /ssl
>                 </Location>
> </VirtualHost>
> -----[End Apache Config]-----
> -----[Begin MyTest::SSLAuth ]-----
> package MyTest::SSLAuth;
> #use Apache2::ModSSL;
> use Apache2::RequestRec ();
> use Apache2::RequestIO ();
> use Digest::SHA qw(sha256_hex);
> use Apache2::Const -compile => qw(OK);
> use Data::Dumper;
> sub handler {
>                 my $r = shift;
>                 $r->content_type('text/plain');
>                 my $c=$r->connection;
>                 my $cert = $r->subprocess_env('SSL_CLIENT_CERT');
>                 my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL');
>                 my $dn = $r->subprocess_env('SSL_CLIENT_S_DN');
>                 my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG');
>                 if($sig != 89765479){
>                                 ....DoSomthing ......
>                 }
>                 return Apache::OK;
> }
> 1;
> -----[End MyTest::SSLAuth ]-----
I believe that you may have the same kind of issue that I was having back in December 2012.
Check the archives of this list, for a thread entitled "setHandler question".
Doing authentication and then proxying is a bit tricky.
The good news is that it works in the end, so your scheme is possible.

View raw message