pass on X509 certificate to reverse-proxy backend

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,
I am running apache 2.2.13 in a reverse-proxy configuration using mod_proxy. The backend is glassfish running on port 8080 on another host. Here's the relevant section of the config: 

        ProxyRequests Off
        SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>
        <Proxy balancer://glassfishcluster>
            BalancerMember http://haroonxp:8080 route=rxp1
        </Proxy>
        <Location /rxp>
            Order allow,deny
            Allow from all
        </Location>
        ProxyPass /rxp/ balancer://glassfishcluster/rxp/ stickysession=JSESSIONID
        ProxyPassReverse /rxp/ balancer://glassfishcluster/rxp/
To require the use of optional X509 client certificates, I added the following configuration: 

        SSLVerifyClient optional
        SSLVerifyDepth 3
# initialize the special headers to a blank value to avoid http header forgeries
        RequestHeader set SSL_CLIENT_S_DN    ""
        RequestHeader set SSL_CLIENT_I_DN    ""
        RequestHeader set SSL_SERVER_S_DN_OU ""
        RequestHeader set SSL_CLIENT_VERIFY  ""
        <Location /rxp>
            Order allow,deny
            Allow from all
            SSLVerifyClient optional
            SSLVerifyDepth 3
            SSLOptions +StdEnvVars +ExportCertData
            # pass-on to proxied internal web application
            RequestHeader set SSL_CLIENT_S_DN       "%{SSL_CLIENT_S_DN}s"
            RequestHeader set SSL_CLIENT_I_DN       "%{SSL_CLIENT_I_DN}s"
            RequestHeader set SSL_SERVER_S_DN_OU    "%{SSL_SERVER_S_DN_OU}s"
            RequestHeader set SSL_CLIENT_VERIFY     "%{SSL_CLIENT_VERIFY}s"
        </Location>
Upon request /rxp, I get the prompt for "Choose a certificate to present as identification". (I have a eToken "smart card" with a cert inside it). Hitting OK or Cancel at this point takes me to the requested page (since client cert is optional).
For further processing, I need to give the backend glassfish server the ability to extract the X509 certificate from the request. Is that possible? Typically, on the backend you can use (e.g., java) to extract the certs:
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
The problem is that there is no cert in the request (certs is always null).
I know that the cert is fully functional, since when I use SSLVerifyClient require apache would only let me through if the correct cert was presented. 

Thanks in advance for your response.

Some version numbers:

./httpd -v
Server version: Apache/2.2.13 (Unix)
Server built:   Sep 21 2009 14:18:04

./httpd -l
Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c

Regards,
--
Haroon Rafique
<haroon.rafique@xxxxxxxxxxx>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux