I don't know too much about Jetty but I know for sure that you can use AJP with JBoss. Configure AJP connector in server.xml for catalina/tomcat part of JBoss, install mod_jk and look for mod_jk ssl options on how to pass client certificate. I really doubt that you can use regular mod_proxy for passing client certificates. This question arised in the list several times but nobody posted a wrking solution for it. I use Apache 2.2.3 + mod_jk + AJP + Tomcat for that it works perfect. BTW. Apache 2.2.3 is a must. On 11/22/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
The backend server is a 3.x version of Jboss that uses Jetty as the Servlet engine. Can you use AJP with Jetty? If not, is there some simple way to yank out the new lines in SSL_CLIENT_CERT on the reverse proxy? thanks >-----Original Message----- >From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx] >Sent: Wednesday, November 22, 2006 2:37 PM >To: users@xxxxxxxxxxxxxxxx >Subject: Re: How to send WHOLE SSL_CLIENT_CERT >in reverse proxy? > >What is the backend serverf? If it's Tomcat or JBoss I'd >suggest to use AJP connector that allows to pass client >certificates to backend. > >On 11/22/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote: >> Hello, >> >> I currently have a HTTPS reverse proxy setup and it works >like a champ! >> >> I am trying to pass the client cert from the reverse proxy to the >> backend server in the headers like so... >> >> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*) RewriteRule .* - >[E=SSLCC:%1] >> RequestHeader add X-SSL-Client-Cert %{SSLCC}e RewriteRule >^/https(.*)$ >> https://kftcsu09.ftc.lab:6443/$1 [P,L] >> >> Problem is, on the backend server that receives the request with >> client cert. in the headers it looks like this... >> >> XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - - >> [21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-" >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; >.NET CLR 1.1.4322)" >> >> I only get the FIRST line of the client certificate... >> >> -----BEGIN CERTIFICATE----- >> >> And NOT the whole thing like... >> >> -----BEGIN CERTIFICATE----- >> MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY >> Stuff, stuff, stuff, >> CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt >> -----END CERTIFICATE----- >> >> >> I am assuming that the newlines in the client certificate on the >> reverse proxy are hosing up sending the WHOLE client certificate. >> >> How do I fix this problem? >> >> Do I try to take out the new lines in rewrite somehow?, how do I do >> that, I have no clue. >> >> Do I try to do something else? What and how? >> >> I have searched and could not find anything. >> >> Thanks much for you help, I appreciate it. >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP >Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> > >--------------------------------------------------------------------- >The official User-To-User support forum of the Apache HTTP >Server Project. >See <URL:http://httpd.apache.org/userslist.html> for more info. >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx