Hello all, I have a question for you that I am needed some help/guidance on. I am not sure if this is a question for Apache, perl or mod_perl, I believe this is the correct place to ask. I am building a reverse proxy server that authenticates a user via the client SSL certificate that is presented to Apache.
When a person connects to https:// alpha.dev.home.com/ssl, they are requested
to present a client SSL cert to the server. Using Mod_Perl, I then get the
client certificate information and do some internal processing to verify the
user. If the user is good, I want to then continue the request by acting as a
reverse proxy servers for internal apache servers.
I have all these processes working except not in the correct order. Here is
the order that the items are happening.
A user will connect to https:// alpha.dev.home.com/ssl. The user is presented
with a request for a client certificate. When the user presents the
certificate, they are then allowed access to the backend (private apache web
server). At the same time, mod_perl is processing their client SSL certificate.
Am I able to have the dictate the order of how a request in apache with
mod_perl I processed meaning
1. Request comes in
2. Customer needs to present a client SSL certificate
3. Mod_perl takes the client certificate information and processes the
information for authentication
4. Depending the outcome of the authentication process, allow the session
to continue or drop the connection.
Here is the code that I am using for testing
-----[Begin Apache Config]-----
<VirtualHost alpha.dev.home.com>
# Get the required enviorment
PerlRequire /opt/perlEngine/startup.pl
# SSL Requirements
SSLEngine on
SSLProtocol +SSLv3 +TLSv1
SSLCertificateFile
/opt/certs/server/al...@danati.home.com-cert.pem
SSLCertificateKeyFile
/opt/certs/server/al...@danati.home.com-key.pem
SSLCACertificateFile
/opt/certs/ca/BlackSands-Refereence-CA-cacert.pem
SSLVerifyClient require
SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
<Location /ssl>
SetHandler perl-script
PerlResponseHandler MyTest::SSLAuth
ProxyRequests off
ProxyPass /ssl http://10.10.10.100
ProxyPassReverse /ssl http://10.10.10.100
</Location>
</VirtualHost>
-----[End Apache Config]-----
-----[Begin MyTest::SSLAuth ]-----
package MyTest::SSLAuth;
#use Apache2::ModSSL;
use Apache2::RequestRec ();
use Apache2::RequestIO ();
use Digest::SHA qw(sha256_hex);
use Apache2::Const -compile => qw(OK);
use Data::Dumper;
sub handler {
my $r = shift;
$r->content_type('text/plain');
my $c=$r->connection;
my $cert = $r->subprocess_env('SSL_CLIENT_CERT');
my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL');
my $dn = $r->subprocess_env('SSL_CLIENT_S_DN');
my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG');
if($sig != 89765479){
....DoSomthing ......
}
return Apache::OK;
}
1;
-----[End MyTest::SSLAuth ]-----
Thank you,
Tim
Timothy F. Gallagher
Senior SAT Engineer
Nuspire Corporation
www.nuspire.com<http://www.nuspire.com>
[cid:image001.jpg@01CD97DA.7C4258C0]<http://nuspire.com/>
<<inline: image001.jpg>>
