Hi there,I am running apache 2.2.13 in a reverse-proxy configuration using mod_proxy. The backend is glassfish running on port 8080 on another host. Here's the relevant section of the config:
ProxyRequests Off SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 <Proxy *> Order deny,allow Allow from all </Proxy> <Proxy balancer://glassfishcluster> BalancerMember http://haroonxp:8080 route=rxp1 </Proxy> <Location /rxp> Order allow,deny Allow from all </Location> ProxyPass /rxp/ balancer://glassfishcluster/rxp/ stickysession=JSESSIONID ProxyPassReverse /rxp/ balancer://glassfishcluster/rxp/To require the use of optional X509 client certificates, I added the following configuration:
SSLVerifyClient optional SSLVerifyDepth 3 # initialize the special headers to a blank value to avoid http header forgeries RequestHeader set SSL_CLIENT_S_DN "" RequestHeader set SSL_CLIENT_I_DN "" RequestHeader set SSL_SERVER_S_DN_OU "" RequestHeader set SSL_CLIENT_VERIFY "" <Location /rxp> Order allow,deny Allow from all SSLVerifyClient optional SSLVerifyDepth 3 SSLOptions +StdEnvVars +ExportCertData # pass-on to proxied internal web application RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" </Location>Upon request /rxp, I get the prompt for "Choose a certificate to present as identification". (I have a eToken "smart card" with a cert inside it). Hitting OK or Cancel at this point takes me to the requested page (since client cert is optional).
For further processing, I need to give the backend glassfish server the ability to extract the X509 certificate from the request. Is that possible? Typically, on the backend you can use (e.g., java) to extract the certs:
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
The problem is that there is no cert in the request (certs is always null).
I know that the cert is fully functional, since when I use SSLVerifyClient require apache would only let me through if the correct cert was presented.
Thanks in advance for your response. Some version numbers: ./httpd -v Server version: Apache/2.2.13 (Unix) Server built: Sep 21 2009 14:18:04 ./httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c Regards, -- Haroon Rafique <haroon.rafique@xxxxxxxxxxx> --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx