Re: mod_lua and subprocess_env (Apache Users)

Re: mod_lua and subprocess_env

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: users@xxxxxxxxxxxxxxxx

Subject: Re: mod_lua and subprocess_env

From: Andrei Ivanov <andrei.ivanov@xxxxxxxxx>

Date: Fri, 24 Feb 2017 19:50:03 +0200

In-reply-to: <CAKQ1sVPZMnsm51y++SxRqiv=j2r-r6OcRJjYf5oaC+Gm25tFDA@mail.gmail.com>

Reply-to: users@xxxxxxxxxxxxxxxx

On Wed, Feb 22, 2017 at 5:10 PM, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:

On Wed, Feb 22, 2017 at 3:19 PM, Andrei Ivanov <andrei.ivanov@xxxxxxxxx> wrote:
> On Wed, Feb 22, 2017 at 3:36 PM, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
>>
>> My bad, please try without the parentheses:
>>
>> Require expr "'IP Address:' . %{REMOTE_ADDR} -in
>> PeerExtList('2.5.29.17')
>
> Did that too, Apache starts but the _expression_ always returns false :-(
>
> And I can't find a way to debug it, to see what PeerExtList('2.5.29.17')
> returns for my client certificate.

My proposed patch (to be applied to 2.4.25) and:
Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
does it.

I've managed to apply your patch and rebuild Apache and now I have:
Header set Client-IP "expr=%{REMOTE_ADDR}"
Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"

Header set matched false
<If "%{REMOTE_ADDR} -in PeerExtList('2.5.29.17')">
Header set matched true
</If>

results:
Client-IP: 159.107.78.119
Client-SAN: email:<email1>, email:<email2>, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.119, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
Client-DN: CN=client-with-subjectAltName-with-IPs-4
matched: false

And with:
<Location />
Require expr "'IP Address:'.%{REMOTE_ADDR} -in PeerExtList('2.5.29.17')"
</Location>

I still get a 403 Forbidden :-(
AH01626: authorization result of Require expr "'IP Address:'.%{REMOTE_ADDR} -in PeerExtList('2.5.29.17')": denied

What is wrong with it?