The backend server is a 3.x version of Jboss that uses Jetty as the
Servlet engine.
Can you use AJP with Jetty?
If not, is there some simple way to yank out the new lines in
SSL_CLIENT_CERT on the reverse proxy?
thanks
>-----Original Message-----
>From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx]
>Sent: Wednesday, November 22, 2006 2:37 PM
>To: users@xxxxxxxxxxxxxxxx
>Subject: Re: How to send WHOLE SSL_CLIENT_CERT
>in reverse proxy?
>
>What is the backend serverf? If it's Tomcat or JBoss I'd
>suggest to use AJP connector that allows to pass client
>certificates to backend.
>
>On 11/22/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
>> Hello,
>>
>> I currently have a HTTPS reverse proxy setup and it works
>like a champ!
>>
>> I am trying to pass the client cert from the reverse proxy to the
>> backend server in the headers like so...
>>
>> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*) RewriteRule .* -
>[E=SSLCC:%1]
>> RequestHeader add X-SSL-Client-Cert %{SSLCC}e RewriteRule
>^/https(.*)$
>> https://kftcsu09.ftc.lab:6443/$1 [P,L]
>>
>> Problem is, on the backend server that receives the request with
>> client cert. in the headers it looks like this...
>>
>> XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
>> [21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-"
>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
>.NET CLR 1.1.4322)"
>>
>> I only get the FIRST line of the client certificate...
>>
>> -----BEGIN CERTIFICATE-----
>>
>> And NOT the whole thing like...
>>
>> -----BEGIN CERTIFICATE-----
>> MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
>> Stuff, stuff, stuff,
>> CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
>> -----END CERTIFICATE-----
>>
>>
>> I am assuming that the newlines in the client certificate on the
>> reverse proxy are hosing up sending the WHOLE client certificate.
>>
>> How do I fix this problem?
>>
>> Do I try to take out the new lines in rewrite somehow?, how do I do
>> that, I have no clue.
>>
>> Do I try to do something else? What and how?
>>
>> I have searched and could not find anything.
>>
>> Thanks much for you help, I appreciate it.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP
>Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|