Re: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
From: "Serge Dubrouski" <sergeyfd@xxxxxxxxx>
Date: Wed, 22 Nov 2006 16:08:56 -0700
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
In-reply-to: <52F6AB54F39902489F13FEB65D9EB56D0184018B@xxxxxxxxxxxxxxxxxxxxxx>
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
References: <868cbbaa0611221137i37fdd9d3pda2841bcd771a9ff@xxxxxxxxxxxxxx> <52F6AB54F39902489F13FEB65D9EB56D0184018B@xxxxxxxxxxxxxxxxxxxxxx>
Reply-to: users@xxxxxxxxxxxxxxxx

I don't know too much about Jetty but I know for sure that you can use
AJP with JBoss. Configure AJP connector in server.xml for
catalina/tomcat part of JBoss, install mod_jk and
look for mod_jk ssl options on how to pass client certificate.

I really doubt that you can use regular mod_proxy for passing client
certificates. This question arised in the list several times but
nobody posted a wrking solution for it. I use Apache 2.2.3 + mod_jk +
AJP + Tomcat for that it works perfect. BTW. Apache 2.2.3 is a must.

On 11/22/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:

The backend server is a 3.x version of Jboss that uses Jetty as the
Servlet engine.
Can you use AJP with Jetty?

If not, is there some simple way to yank out the new lines in
SSL_CLIENT_CERT on the reverse proxy?

thanks


>-----Original Message-----
>From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx]
>Sent: Wednesday, November 22, 2006 2:37 PM
>To: users@xxxxxxxxxxxxxxxx
>Subject: Re:  How to send WHOLE SSL_CLIENT_CERT
>in reverse proxy?
>
>What is the backend serverf? If it's Tomcat or JBoss I'd
>suggest to use AJP connector that allows to pass client
>certificates to backend.
>
>On 11/22/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
>> Hello,
>>
>> I currently have a HTTPS reverse proxy setup and it works
>like a champ!
>>
>> I am trying to pass the client cert from the reverse proxy to the
>> backend server in the headers like so...
>>
>> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*) RewriteRule .* -
>[E=SSLCC:%1]
>> RequestHeader add X-SSL-Client-Cert %{SSLCC}e RewriteRule
>^/https(.*)$
>> https://kftcsu09.ftc.lab:6443/$1 [P,L]
>>
>> Problem is, on the backend server that receives the request with
>> client cert. in the headers it looks like this...
>>
>> XXX "-----BEGIN CERTIFICATE-----" XXX 10.0.0.114 - -
>> [21/Nov/2006:16:15:02 -0500] "GET / HTTP/1.1" 200 4855 "-"
>> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
>.NET CLR 1.1.4322)"
>>
>> I only get the FIRST line of the client certificate...
>>
>> -----BEGIN CERTIFICATE-----
>>
>> And NOT the whole thing like...
>>
>> -----BEGIN CERTIFICATE-----
>> MIIDhjCCAm6gAwIBAgIQZ/IVv3ytMJxL1k62UAK1aDANBgkqhkiG9w0BAQUFADAY
>> Stuff, stuff, stuff,
>> CnsoGAWH1LHipceWTVaxAh+ZlmP9iwjD6+i7oGSFnuNT9iKBrRXHQuZt
>> -----END CERTIFICATE-----
>>
>>
>> I am assuming that the newlines in the client certificate on the
>> reverse proxy are hosing up sending the WHOLE client certificate.
>>
>> How do I fix this problem?
>>
>> Do I try to take out the new lines in rewrite somehow?, how do I do
>> that, I have no clue.
>>
>> Do I try to do something else? What and how?
>>
>> I have searched and could not find anything.
>>
>> Thanks much for you help, I appreciate it.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP
>Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
  - From: toadie D

References:
- Re: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
  - From: Serge Dubrouski
- RE: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
  - From: Lucuk, Pete

Prev by Date: Re: Comparing Apache HTTP server 1.3 vs 2.0.*
Next by Date: Re: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Previous by thread: RE: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Next by thread: Re: How to send WHOLE SSL_CLIENT_CERT in reverse proxy?
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]