Re: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



What is the backend serverf? If it's Tomcat or JBoss I'd suggest to
use AJP connector that allows to pass client certificates to backend.

On 11/22/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
Hello,

I currently have a HTTPS reverse proxy setup and it works like a champ!

I am trying to pass the client cert from the reverse proxy to the
backend server in the headers like so...

RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:%1]
RequestHeader add X-SSL-Client-Cert %{SSLCC}e
RewriteRule ^/https(.*)$ https://kftcsu09.ftc.lab:6443/$1 [P,L]

Problem is, on the backend server that receives the request with client
cert. in the headers it looks like this...

XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
[21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

I only get the FIRST line of the client certificate...

-----BEGIN CERTIFICATE-----

And NOT the whole thing like...

-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
Stuff, stuff, stuff,
CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
-----END CERTIFICATE-----


I am assuming that the newlines in the client certificate on the reverse
proxy are hosing up sending the WHOLE client certificate.

How do I fix this problem?

Do I try to take out the new lines in rewrite somehow?, how do I do
that, I have no clue.

Do I try to do something else? What and how?

I have searched and could not find anything.

Thanks much for you help, I appreciate it.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux