As you can see I want client authentication
but with this configuration the server doesn't ask certificate for the
browser.
If I move SSLVerifyClient and
SSLVerifyDepth out of the location directive the server ask client cert
but then it seems that the filter doesn't work.
And the server ask me a cert I select
it from my browser list and it is not signed from a CA with a common name
"manuciao" but the server doesn't stop me from serving a page.
How Can I see SSL_CLIENT_I_DN_CN
value?
I've turn the debug on but I can't see
anything for this variable.
If I want a configuration where the
server asks for client certificates for specific url and accepts only the
one with a specific CA or a specific common name what have I to do????
What is the configuration in my ssl.conf
file?
Pleas let me know!
Thanks in advance
Manuela Vorazzo
"Dale Ogilvie"
<Dale.Ogilvie@xxxxxxxxxxxxx>
31/05/2007 04.15
Please respond to
users@xxxxxxxxxxxxxxxx
To
<users@xxxxxxxxxxxxxxxx>
cc
Subject
mod_proxy_balance never
recovers from a worker error with stickysession
Hello,
I am running Apache 2.2.3 on RedHat EL 5. I am trying to use Apache to
load balance between two local instances of tomcat in order to utilize
the vast quantities of RAM on our production server.
The problem is that if one of the workers gets into error status, any
client with a JSESSIONID referencing that route is never able to receive
a reply, Apache *always* responds with a 503 - Temporarily unavailable,
*until* another request is successful. I expected with "retry=120"
that
after 120 seconds the client would be able to use the errored out
worker, but this is *not* the case.
Test case:
1. Start tomcats
2. Access /docushare, this succeeds and returns a JSESSIONID cookie
referencing the member e.g.
JSESSIONID=BC90C156669FDF0194657FF27EC3AF99.tomcat2
3. Stop tomcats to simulate a backend failure
4. Access /docushare again in the same browser session, this fails with
a 503 error (as expected). Balance-manager shows tomcat1 is OK, and
tomcat2 is Err
Error_log shows: All workers are in error state for route (tomcat2)
5. Start tomcats again
6. Wait for 120+ seconds to allow retry=120 to take effect
7. Access /docushare *using the session with the tomcat2 cookie*, expect
success, get 503 error. I can repeat this step ad nauseam without ever
getting a successful response.
Error_log shows: All workers are in error state for route (tomcat2)
8. To resolve the issue, delete the JSESSIONID cookie from the client or
open up a new browser and access /docushare. Either of these seem to
solve the problem for the "cookied" browser session.
9. Access /docushare, this succeeds, balance-manager shows both tomcat1
and tomcat2 are now OK even though the cookie returned to this request
is for *tomcat1*.
So I would expect that the balance would retry the errored path
successfully "retry" seconds after the failure. Is this a bug
or do I
have some misunderstanding and/or misconfiguration?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
*******************Internet Email Confidentiality Footer*******************
Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi
allegati è vietato e potrebbe costituire reato. Se ha ricevuto per errore
il presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una
comunicazione al riguardo e provvedesse nel contempo alla distruzione del
messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute
nel presente messaggio nonche' nei suoi eventuali allegati devono essere
attribuite al mittente e non possono essere necessariamente considerate
come autorizzate da SIA-SSB S.p.A.; le medesime dichiarazioni non impegnano
SIA-SSB S.p.A. nei confronti del destinatario o di terzi. SIA-SSB S.p.A.
non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche
o danneggiamenti del presente messaggio e-mail.
Any unauthorized use of this e-mail or any of its attachments is prohibited
and could constitute an offence. If you are not the intended addressee
please advise immediately the sender by using the reply facility in your
e-mail software and destroy the message and its attachments. The statements
and opinions expressed in this e-mail message are those of the author of
the message and do not necessarily represent those of SIA-SSB S.p.A. Besides,
The contents of this message shall be understood as neither given nor endorsed
by SIA-SSB S.p.A.. SIA-SSB S.p.A. does not accept liability for corruption,
interception or amendment, if any, or the consequences thereof.
