SSLProxy* directives (mod_ssl + mod_proxy + mod_headers)

SSLProxy* directives (mod_ssl + mod_proxy + mod_headers)

am 17.10.2002 16:23:47 von Maik Mueller

Hello all,

I want to share my latest experiences using mod_ssl + mod_proxy +
mod_headers with you.

We are talking about the following scenario:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server

This works with Apache 1.3 (compiled with SSL_EXPERIMENTAL flag) and with
Apache 2.0.

A pitfall is that mod_proxy reads its private key AND its certificate from
the file referenced by SSLProxyMachineCertificateFile.
There seems to be no possibility to have separate files for private key and
certificate. I personally would prefer adding the option
SSLProxyMachineKeyFile.
Do you agree that that would make configuration easier?

The next problem was how to transfer the Web browser's Client Certificate to
the Web server:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
Client Cert --> transfer e. g. as HTTP Header

I tried to solve this problem using mod_headers, but I wasn't successful.
Apache 1.3 mod_headers seems to be unable to expand environment variables.
Apache 2.0 mod_headers can set Headers with variables like this:
Header set OriginalClientCert "%{SSL_CLIENT_CERT}e"'
But the Web server receives only the Request Headers set with
RequestHeader... and Apache 2.0 mod_headers seems to be unable to expand
environment variables in Request Headers.

Thus I come to the following conclusion (Correct me if I'm wrong!): There is
no way to transfer the Web browser's Client Certificate to the Web server
using mod_headers.

The Stronghold Web server has an enhanced mod_proxy functionality, like Joe
Orton told me. You can set Headers using the following command:
SSLProxyPassEnv MyHeaderName %{SSL_CLIENT_CERT}

IMHO the best solution for the Apache Web server would be to enhance
mod_proxy with the functionality to set Headers based on environment
variables like Stronghold did.

Have I overlooked something?
Is there an easy way to pass the Web browser's client certificate to the Web
server?

Any feedback welcome.

Regards,
Maik
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org