Tried doing it via the query string, and not the headers like this...
RewriteMap escape int:escape
RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
RewriteRule .* - [E=SSLCC:%1]
RewriteRule ^/https(.*)$
https://kftcsu09.ftc.lab:6443$1?CLIENT_CERT=${escape:%{ENV:SSLCC}}
[QSA,P]
And got this...
10.0.0.114 - - [27/Nov/2006:11:52:07 -0500] "GET
/?CLIENT_CERT=-----BEGIN%20CERTIFICATE----- HTTP/1.1" 200 4855 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)"
So, it does not appear that the whole client cert gets passed as a query
string either.
Do I even have the whole client certificate te begin with at the reverse
proxy server?
I am really trying NOT to use AJP module for multiple reasons, BUT am I
getting to a point where it is my only option to sucessfully proxy the
whole client certificate to the jboss server behind the proxy server?
>-----Original Message-----
>From: Lucuk, Pete [mailto:pete.lucuk@xxxxxxx]
>Sent: Monday, November 27, 2006 11:26 AM
>To: users@xxxxxxxxxxxxxxxx
>Subject: RE: How to send WHOLE SSL_CLIENT_CERT
>in reverse proxy?
>
>
>This...
>
> RewriteMap escape int:escape
>
> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
> RewriteRule .* - [E=SSLCC:${escape:{%1}}]
> RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>
> RewriteRule ^/https(.*)$
>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>tHeaderEx
>ample$1 [P,L]
>
>Gets me this...
>
>user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
>SV1; .NET CLR 1.1.4322) x-ssl-client-on SUCCESS
>x-ssl-client-name Doug S. Barnhart x-ssl-client-cert
>%7b-----BEGIN%20CERTIFICATE-----%7d
>max-forwards 10
>x-forwarded-for 10.0.1.55
>
>And this...
>
>
> RewriteCond %{SSL:SSL_CLIENT_CERT} (.*)
> RewriteRule .* - [E=SSLCC:%1]
> RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>
> RewriteRule ^/https(.*)$
>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>tHeaderEx
>ample$1 [P,L]
>
>Gets me this...
>
>user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
>SV1; .NET CLR 1.1.4322) x-ssl-client-on SUCCESS
>x-ssl-client-name Doug S. Barnhart x-ssl-client-cert
>-----BEGIN CERTIFICATE----- max-forwards 10 x-forwarded-for 10.0.1.55
>
>
>It appears that I am still not getting the whole ssl client
>cert even after the escape...
>
>
> RewriteRule .* - [E=SSLCC:${escape:{%1}}]
>
> x-ssl-client-cert %7b-----BEGIN%20CERTIFICATE-----%7d
>
>
>Am I doing something wrong on the escape?
>
>Bottom line, I am trying to get that whole client pem
>certificate to be pushed across in the header with no luck.
>
>
>>-----Original Message-----
>>From: Lucuk, Pete [mailto:pete.lucuk@xxxxxxx]
>>Sent: Monday, November 27, 2006 10:04 AM
>>To: users@xxxxxxxxxxxxxxxx
>>Subject: RE: How to send WHOLE SSL_CLIENT_CERT
>in reverse
>>proxy?
>>
>>Where would I put the Rewrite escape function in the stuff below? I
>>tried a couple different things and could not get it to work. Thank
>>you for your help, I appreciate it
>>
>>
>>RewriteCond %{SSL:SSL_CLIENT_CERT} (.*) RewriteRule .* - [E=SSLCC:%1]
>>RequestHeader add X-SSL-Client-Cert %{SSLCC}e
>>
>>RewriteRule ^/https(.*)$
>>https://kftcsu14.ftc.lab:48605/servlets-examples/servlet/Reques
>>tHeaderEx
>>ample$1 [P,L]
>>
>>
>>>-----Original Message-----
>>>From: Max Dittrich [mailto:max.dittrich@xxxxxxxxxxx]
>>>Sent: Thursday, November 23, 2006 8:37 PM
>>>To: users@xxxxxxxxxxxxxxxx
>>>Subject: Re: How to send WHOLE SSL_CLIENT_CERT
>>in reverse
>>>proxy?
>>>
>>>Lucuk, Pete schrieb:
>>>> The backend server is a 3.x version of Jboss that uses
>Jetty as the
>>>> Servlet engine.
>>>> Can you use AJP with Jetty?
>>>>
>>>> If not, is there some simple way to yank out the new lines in
>>>> SSL_CLIENT_CERT on the reverse proxy?
>>>
>>>I just looked up the Apache Docs, because I remembered those
>internal
>>>RewriteMaps. Maybe there's a chance using the internal RewriteMap
>>>'escape' to encode special characters like "\n".
>>>
>>>Limitations on the accepted length of headers (2048) may break this
>>>solution.
>>>
>>>hf,
>>>.max
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server
>>>Project.
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|