Timothy Gallagher wrote:
Hello all, I have a question for you that I am needed some help/guidance on. I am not sure if this is a question for Apache, perl or mod_perl, I believe this is the correct place to ask. I am building a reverse proxy server that authenticates a user via the client SSL certificate that is presented to Apache.When a person connects to https:// alpha.dev.home.com/ssl, they are requested to present a client SSL cert to the server. Using Mod_Perl, I then get the client certificate information and do some internal processing to verify the user. If the user is good, I want to then continue the request by acting as a reverse proxy servers for internal apache servers. I have all these processes working except not in the correct order. Here is the order that the items are happening. A user will connect to https:// alpha.dev.home.com/ssl. The user is presented with a request for a client certificate. When the user presents the certificate, they are then allowed access to the backend (private apache web server). At the same time, mod_perl is processing their client SSL certificate. Am I able to have the dictate the order of how a request in apache with mod_perl I processed meaning 1. Request comes in 2. Customer needs to present a client SSL certificate 3. Mod_perl takes the client certificate information and processes the information for authentication 4. Depending the outcome of the authentication process, allow the session to continue or drop the connection. Here is the code that I am using for testing -----[Begin Apache Config]----- <VirtualHost alpha.dev.home.com> # Get the required enviorment PerlRequire /opt/perlEngine/startup.pl # SSL Requirements SSLEngine on SSLProtocol +SSLv3 +TLSv1 SSLCertificateFile /opt/certs/server/al...@danati.home.com-cert.pem SSLCertificateKeyFile /opt/certs/server/al...@danati.home.com-key.pem SSLCACertificateFile /opt/certs/ca/BlackSands-Refereence-CA-cacert.pem SSLVerifyClient require SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth <Location /ssl> SetHandler perl-script PerlResponseHandler MyTest::SSLAuth ProxyRequests off ProxyPass /ssl http://10.10.10.100 ProxyPassReverse /ssl http://10.10.10.100 </Location> </VirtualHost> -----[End Apache Config]----- -----[Begin MyTest::SSLAuth ]----- package MyTest::SSLAuth; #use Apache2::ModSSL; use Apache2::RequestRec (); use Apache2::RequestIO (); use Digest::SHA qw(sha256_hex); use Apache2::Const -compile => qw(OK); use Data::Dumper; sub handler { my $r = shift; $r->content_type('text/plain'); my $c=$r->connection; my $cert = $r->subprocess_env('SSL_CLIENT_CERT'); my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL'); my $dn = $r->subprocess_env('SSL_CLIENT_S_DN'); my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG'); if($sig != 89765479){ ....DoSomthing ...... } return Apache::OK; } 1; -----[End MyTest::SSLAuth ]-----
Hi. I believe that you may have the same kind of issue that I was having back in December 2012. Check the archives of this list, for a thread entitled "setHandler question". Doing authentication and then proxying is a bit tricky. The good news is that it works in the end, so your scheme is possible.
