It was thus said that the Great Eldad Chai once stated:
> Hi,
>
> I am using Apache reverse proxy.
>
> I want to perform the following and wondering if it is possible:
>
> 1) Extract a field (Subject Name) from a client certificate sent over
> SSL and compare it to a local list I have
>
> 2) Add parts of the certificate to headers or parameters in the HTTP
> request to the backend server
1) How is the local list stored? My current configuration on my secure
server for client certificates looks like:
<Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Conman Laboratories" \
and %{SSL_CLIENT_S_DN_OU} eq "Clients"
SSLVerifyClient require
SSLVerifyDepth 10
</Directory>
Translated: This directory requires a certificate with an organization of
"Conman Laboratories", with a department of "Clients" can access, otherwise,
fail the request. I'm sure there are other methods, but I haven't
investigated them.
2) I'm guessing something based on the following (I haven't played around
much with web proxies, but this might get you on the right track):
RewriteEngine On
RewriteBase /wherever
RewriteRule ^(.*)$ proxyrequest?user=%{SSL:SSL_CLIENT_S_DN_CN}&group=%{SSL:SSL_CLIENT_S_DN_OU} [PL]
Basically, you can use any of the SSL environment variables [1] can be
passed as part of a URI (CGI scripts will find them as environment
variables). Hope this points you in the right direction at least.
-spc
[1] A bunch are listed here:
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|