André, Thank you for the response, I was able to find the messages to help me find what I was looking for. I appreciate the help.
Thank you, Tim Timothy F. Gallagher Senior SAT Engineer Nuspire Corporation www.nuspire.com -----Original Message----- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, February 06, 2013 12:42 PM To: mod_perl list Subject: Re: Question on how execution order of Mod_Persl Timothy Gallagher wrote: > Hello all, > I have a question for you that I am needed some help/guidance on. I am not > sure if this is a question for Apache, perl or mod_perl, I believe this is > the correct place to ask. I am building a reverse proxy server that > authenticates a user via the client SSL certificate that is presented to > Apache. > > When a person connects to https:// alpha.dev.home.com/ssl, they are requested > to present a client SSL cert to the server. Using Mod_Perl, I then get the > client certificate information and do some internal processing to verify the > user. If the user is good, I want to then continue the request by acting as a > reverse proxy servers for internal apache servers. > > I have all these processes working except not in the correct order. Here is > the order that the items are happening. > A user will connect to https:// alpha.dev.home.com/ssl. The user is presented > with a request for a client certificate. When the user presents the > certificate, they are then allowed access to the backend (private apache web > server). At the same time, mod_perl is processing their client SSL > certificate. > > Am I able to have the dictate the order of how a request in apache with > mod_perl I processed meaning > > 1. Request comes in > > 2. Customer needs to present a client SSL certificate > > 3. Mod_perl takes the client certificate information and processes the > information for authentication > > 4. Depending the outcome of the authentication process, allow the > session to continue or drop the connection. > > Here is the code that I am using for testing > -----[Begin Apache Config]----- > <VirtualHost alpha.dev.home.com> > # Get the required enviorment > PerlRequire /opt/perlEngine/startup.pl > # SSL Requirements > SSLEngine on > SSLProtocol +SSLv3 +TLSv1 > SSLCertificateFile > /opt/certs/server/al...@danati.home.com-cert.pem > SSLCertificateKeyFile > /opt/certs/server/al...@danati.home.com-key.pem > SSLCACertificateFile > /opt/certs/ca/BlackSands-Refereence-CA-cacert.pem > SSLVerifyClient require > SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth > > <Location /ssl> > SetHandler perl-script > PerlResponseHandler MyTest::SSLAuth > ProxyRequests off > ProxyPass /ssl http://10.10.10.100 > ProxyPassReverse /ssl http://10.10.10.100 > </Location> > </VirtualHost> > -----[End Apache Config]----- > > > -----[Begin MyTest::SSLAuth ]----- > > package MyTest::SSLAuth; > #use Apache2::ModSSL; > use Apache2::RequestRec (); > use Apache2::RequestIO (); > use Digest::SHA qw(sha256_hex); > use Apache2::Const -compile => qw(OK); > use Data::Dumper; > > sub handler { > my $r = shift; > $r->content_type('text/plain'); > my $c=$r->connection; > my $cert = $r->subprocess_env('SSL_CLIENT_CERT'); > my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL'); > my $dn = $r->subprocess_env('SSL_CLIENT_S_DN'); > my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG'); > if($sig != 89765479){ > ....DoSomthing ...... > } > return Apache::OK; > } > 1; > -----[End MyTest::SSLAuth ]----- > > Hi. I believe that you may have the same kind of issue that I was having back in December 2012. Check the archives of this list, for a thread entitled "setHandler question". Doing authentication and then proxying is a bit tricky. The good news is that it works in the end, so your scheme is possible.
