Mladen Turk wrote:
Bill Barker wrote:
Mladen's patch to mod_jk is simplier than this one, so I would prefer
it to this one. But I have no voting rights on this list :).
Right, I'll prepare something for mod_proxy as well.
It is on my TODO list for a long time.
Thank you. As I was saying in my previous message on this list [*], I've
been able to get the full chain of certificates with mod_jk successfully
with Jetty. One of the reasons I wanted to change is that the Jetty team
now recommends using mod_proxy.
In fact, they also suggest using mod_proxy_http rather than mod_proxy_ajp.
For this, I think getting the full chain of certificate would require a
variable in mod_ssl (for example SSL_CLIENT_CERT_CHAIN as it's done
using my patch, or something else and/or a better patch), combined with
a custom header via mod_headers. Of course, this would also require the
reverse proxy to clear such a user-provided request header, if present,
to avoid spoofing. I suppose this could be useful for other containers
behind a reverse proxy, even if they don't support AJP.
Best wishes,
Bruno.
[*]
http://mail-archives.apache.org/mod_mbox/httpd-dev/200810.mbox/[EMAIL PROTECTED]
