Return-Path: X-Original-To: apmail-perl-modperl-archive@www.apache.org Delivered-To: apmail-perl-modperl-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9E629E523 for ; Wed, 6 Feb 2013 17:42:07 +0000 (UTC) Received: (qmail 42350 invoked by uid 500); 6 Feb 2013 17:42:06 -0000 Delivered-To: apmail-perl-modperl-archive@perl.apache.org Received: (qmail 42320 invoked by uid 500); 6 Feb 2013 17:42:06 -0000 Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list modperl@perl.apache.org Received: (qmail 42313 invoked by uid 99); 6 Feb 2013 17:42:06 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Feb 2013 17:42:06 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=NORMAL_HTTP_TO_IP,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Feb 2013 17:41:58 +0000 Received: from [192.168.245.228] (p549E8E24.dip0.t-ipconnect.de [84.158.142.36]) (Authenticated sender: andre.warnier@ice-sa.com) by tor.combios.es (Postfix) with ESMTPA id A5B1E3C045E for ; Wed, 6 Feb 2013 18:43:12 +0100 (CET) Message-ID: <511295D1.7010500@ice-sa.com> Date: Wed, 06 Feb 2013 18:41:37 +0100 From: =?ISO-8859-1?Q?Andr=E9_Warnier?= Reply-To: mod_perl list User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: mod_perl list Subject: Re: Question on how execution order of Mod_Persl References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Timothy Gallagher wrote: > Hello all, > I have a question for you that I am needed some help/guidance on. I am not sure if this is a question for Apache, perl or mod_perl, I believe this is the correct place to ask. I am building a reverse proxy server that authenticates a user via the client SSL certificate that is presented to Apache. > > When a person connects to https:// alpha.dev.home.com/ssl, they are requested to present a client SSL cert to the server. Using Mod_Perl, I then get the client certificate information and do some internal processing to verify the user. If the user is good, I want to then continue the request by acting as a reverse proxy servers for internal apache servers. > > I have all these processes working except not in the correct order. Here is the order that the items are happening. > A user will connect to https:// alpha.dev.home.com/ssl. The user is presented with a request for a client certificate. When the user presents the certificate, they are then allowed access to the backend (private apache web server). At the same time, mod_perl is processing their client SSL certificate. > > Am I able to have the dictate the order of how a request in apache with mod_perl I processed meaning > > 1. Request comes in > > 2. Customer needs to present a client SSL certificate > > 3. Mod_perl takes the client certificate information and processes the information for authentication > > 4. Depending the outcome of the authentication process, allow the session to continue or drop the connection. > > Here is the code that I am using for testing > -----[Begin Apache Config]----- > > # Get the required enviorment > PerlRequire /opt/perlEngine/startup.pl > # SSL Requirements > SSLEngine on > SSLProtocol +SSLv3 +TLSv1 > SSLCertificateFile /opt/certs/server/alpha@danati.home.com-cert.pem > SSLCertificateKeyFile /opt/certs/server/alpha@danati.home.com-key.pem > SSLCACertificateFile /opt/certs/ca/BlackSands-Refereence-CA-cacert.pem > SSLVerifyClient require > SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth > > > SetHandler perl-script > PerlResponseHandler MyTest::SSLAuth > ProxyRequests off > ProxyPass /ssl http://10.10.10.100 > ProxyPassReverse /ssl http://10.10.10.100 > > > -----[End Apache Config]----- > > > -----[Begin MyTest::SSLAuth ]----- > > package MyTest::SSLAuth; > #use Apache2::ModSSL; > use Apache2::RequestRec (); > use Apache2::RequestIO (); > use Digest::SHA qw(sha256_hex); > use Apache2::Const -compile => qw(OK); > use Data::Dumper; > > sub handler { > my $r = shift; > $r->content_type('text/plain'); > my $c=$r->connection; > my $cert = $r->subprocess_env('SSL_CLIENT_CERT'); > my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL'); > my $dn = $r->subprocess_env('SSL_CLIENT_S_DN'); > my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG'); > if($sig != 89765479){ > ....DoSomthing ...... > } > return Apache::OK; > } > 1; > -----[End MyTest::SSLAuth ]----- > > Hi. I believe that you may have the same kind of issue that I was having back in December 2012. Check the archives of this list, for a thread entitled "setHandler question". Doing authentication and then proxying is a bit tricky. The good news is that it works in the end, so your scheme is possible.