Re: Performing Internal Certificate Checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu 25 Jun 2009, André Warnier wrote:
> > I am using Apache reverse proxy.
> >
> > I want to perform the following and wondering if it is possible:
> >
> > 1)      Extract a field (Subject Name) from a client certificate
> > sent over SSL and compare it to a local list I have
> >
> > 2)      Add parts of the certificate to headers or parameters in
> > the HTTP request to the backend server
>
> I don't know SSL and HTTPS, and how Apache handles this, well enough
> to answer your question precisely.
> But I can contribute this :
> If the result of the HTTPS handshake is such that, for Apache, this
> HTTP request ends up "authenticated" (iow it has a user-id), then
> yes, you could get that Apache request user-id and pass it on to a
> back-end. The exact way in which you might do this depends very much
> on a whole series of other criteria, which you might want to indicate
> in a future post :
> - which platform(s) ?
> - Apache version ?
> - which back-end ? (and version)
> - how you connect the front-end to the back-end ?
> - does your front-end Apache have (for instance) mod_perl active ?
> (there are also a host of ways other than mod_perl to do things like
> that, such a mod_rewrite, setenvif, mod_headers, mod_proxy, mod_jk,
> etc..; I'm just mentioning mod_perl because it is my own preferred
> toolbox for that kind of thing).

All this can be done in mod_perl quite easily. If you already use it 
have a look at Apache2::ModSSL on CPAN.

If you want to avoid mod_perl have a look at mod_header's RequestHeader 
combined with the %{...}s format for point 2 of your list and perhaps 
mod_ssl's SSLRequire for point 1.

Torsten

-- 
Need professional mod_perl support?
Just hire me: torsten.foertsch@xxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux