On Mon, May 07, 2001 at 04:41:22PM +0100, Darko Krizic wrote:
>
> Hello!
>
> I run Apache 1.3.19 with mod_ssl 2.8.2 as reverse proxy. This reverse proxy does the
>SSL part of the web application. On a specific URL the reverse proxy requests a
>client certificate from the browser using this configuration:
>
> <Location /blablabla/>
> SSLVerifyClient require
> SSLVerifyDepth 1
> </Location>
> SSLCACertificateFile /blabla/my.CA.crt
>
> This works fine, but the problem is that the application runs on another web server
>behind the reverse proxy and that the application needs to know/verify the client
>certificate serial number. Therefore somebody (before I started the job here ;-) )
>wrote a patch that imports the client certification information into the HTTP header
>of the incoming request so that mod_proxy forwards this information to the web server.
>
> Stupid enough this patch is mod_ssl version dependend so I am looking for a nicer
>solution. I can imagine that the combination of apache and mod_ssl as a reverse proxy
>is very popular and many people have demand on forwarding certificate informations to
>the application (web server).
>
> So, is there a nicer solution?
I won't exactly call it a nicer solution (since it is my own :), but
something like http://www2.toftum.dk/apache/ should do the trick and
doesn't need to do any patching ... and is so simple that even a non
programmer should be able to change it to another part of the cert.
What it really needs is a bit of error checking and perhaps making
sure that we are actually running under SSL when doing this (I never
needed that because I don't have plain HTTP access on my SSL servers).
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
