pass on X509 certificate to reverse-proxy backend

pass on X509 certificate to reverse-proxy backend

am 26.11.2009 22:12:08 von Haroon Rafique

Hi there,

I am running apache 2.2.13 in a reverse-proxy configuration using
mod_proxy. The backend is glassfish running on port 8080 on another host.
Here's the relevant section of the config:

ProxyRequests Off
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1

Order deny,allow
Allow from all


BalancerMember http://haroonxp:8080 route=rxp1


Order allow,deny
Allow from all

ProxyPass /rxp/ balancer://glassfishcluster/rxp/ stickysession=JSESSIONID
ProxyPassReverse /rxp/ balancer://glassfishcluster/rxp/

To require the use of optional X509 client certificates, I added the
following configuration:

SSLVerifyClient optional
SSLVerifyDepth 3
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY ""

Order allow,deny
Allow from all
SSLVerifyClient optional
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
# pass-on to proxied internal web application
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"


Upon request /rxp, I get the prompt for "Choose a certificate to present
as identification". (I have a eToken "smart card" with a cert inside it).
Hitting OK or Cancel at this point takes me to the requested page (since
client cert is optional).

For further processing, I need to give the backend glassfish server the
ability to extract the X509 certificate from the request. Is that
possible? Typically, on the backend you can use (e.g., java) to extract
the certs:

X509Certificate[] certs = (X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate" );

The problem is that there is no cert in the request (certs is always
null).

I know that the cert is fully functional, since when I use SSLVerifyClient
require apache would only let me through if the correct cert was
presented.

Thanks in advance for your response.

Some version numbers:

../httpd -v
Server version: Apache/2.2.13 (Unix)
Server built: Sep 21 2009 14:18:04

../httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c

Regards,
--
Haroon Rafique



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: pass on X509 certificate to reverse-proxy backend

am 27.11.2009 04:04:45 von Haroon Rafique

On Today at 4:12pm, HR=>Haroon Rafique wrote:

HR> [..snip..]
HR>
HR>
HR> Order allow,deny
HR> Allow from all
HR> SSLVerifyClient optional
HR> SSLVerifyDepth 3
HR> SSLOptions +StdEnvVars +ExportCertData
HR> # pass-on to proxied internal web application
HR> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
HR> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
HR> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
HR> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
HR>
HR>
HR> Upon request /rxp, I get the prompt for "Choose a certificate to present as
HR> identification". (I have a eToken "smart card" with a cert inside it).
HR> Hitting OK or Cancel at this point takes me to the requested page (since
HR> client cert is optional).
HR>
HR> For further processing, I need to give the backend glassfish server the
HR> ability to extract the X509 certificate from the request. Is that possible?
HR> Typically, on the backend you can use (e.g., java) to extract the certs:
HR>
HR> X509Certificate[] certs = (X509Certificate[])
HR> request.getAttribute("javax.servlet.request.X509Certificate" );
HR>
HR> The problem is that there is no cert in the request (certs is always null).
HR>

Thought I would post a follow-up. I got a chance to put a break-point in
the backend server and looks like even though the above code returns
null certs, I do have some information in the request headers (due to the
RequestHeader set .... lines in httpd.conf). So, it won't be a seamless
fit right into the security infrastructure of the backend, but I believe I
can see, e.g., SSL_CLIENT_S_DN, by invoking
request.getHeader("SSL_CLIENT_S_DN");
and that should at least get me started on the right track.

Hope this helps someone. If someone has any other ideas, please keep them
coming.

Cheers,
--
Haroon Rafique



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org