-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Folks.
For all running x509 based AUTHENTICATION on a reverse proxy (Using
ProxyPass, even with jk_module) and AUTHORIZATION in a backend server
(eg a Nagios...) this may help:
1. Copy interesting x509 attributes (HTTP_SSL_SERVER_S_DN or
HTTP_SSL_CLIENT_S_DN_CN) to a RequestHeader in the reverse proxy. To
avoid naming conflicts I took X-Forwarded-SSL_CLIENT_S_DN_CN:
[...]
RequestHeader set X-Forwarded-SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
[...]
2. On the backend server copy that HTTP header to httpd's REMOTE_USER
environment using mod_rewite:
[...]
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL_CLIENT_S_DN_CN} (.*)
RewriteRule ^.*$ - [E=REMOTE_USER:%1]
[...]
Caution: The backend server trusts the reverse proxy requests fully!
Sanitize your headers carefully there.
Martin
- --
Martin Drescher
GnuPG Key Fingerprint, KeyID '4FBE451A':
'2237 1E95 8E50 E825 9FE8 AEE1 6FF4 1E34 4FBE 451A'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCYBc8ACgkQb/QeNE++RRrbTwCgj9U8wCW2sYxEzmSoKUkSCyaG
8tQAoJQFDrJ1xza5OPUJsRihSBzGe+ju
=cmTi
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|