Can you use the test program at: https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/tests/environ.wsgi <https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/tests/environ.wsgi>
behind your configuration and provide what it responds with back in the browser. Change any values you think may be sensitive. It will be mainly the keys rather than values am interested in. Graham > On 12 Nov 2017, at 1:31 am, O haya <jim...@gmail.com> wrote: > > Hi Graham, > > FYI, I am going to be in-transit to another location in a bit, so I will be > slow to respond probably until tomorrow. > > > On Saturday, November 11, 2017 at 9:21:26 AM UTC-5, O haya wrote: > Hi, > > I already have the SSLOptions +StdEnvVars in the virtualhost and was not > seeing the SSL_ headers. That was why I started trying to add the > RequestHeaders. > > Thanks, > Jim > > On Saturday, November 11, 2017 at 4:05:08 AM UTC-5, Graham Dumpleton wrote: > Why fiddle with RequestHeader and using headers. The directive: > > SSLOptions +StdEnvVars > > should result in them being passed through in the WSGI environ dictionary > already. > > Graham > >> On 11 Nov 2017, at 4:03 pm, O haya <jim...@gmail.com <>> wrote: >> >> Hi, >> >> I built mod_wsgi using Python 3.6.3 and also with Apache 2.2.29. The Apache >> is configured for client-authenticated SSL, and I am trying to configure >> Apache to pass some of the SSL_ variables to a small test Flask application >> and I am having difficulty getting this working. >> >> Here is the VirtualHost: >> >> <VirtualHost *:8443> >> Servername apache.whatever.com <http://apache.whatever.com/> >> . >> . >> . >> >> >> WSGIDaemonProcess webtool user=myuser group=mygroup threads=5 >> home=/apps/flaskapps/helloflask/wsgi-scripts >> WSGIScriptAlias / /apps/flaskapps/helloflask/wsgi-scripts/webtool.wsgi >> >> # From: >> https://stackoverflow.com/questions/20940651/how-to-access-apache-basic-authentication-user-in-flask >> >> <https://stackoverflow.com/questions/20940651/how-to-access-apache-basic-authentication-user-in-flask> >> # WSGIPassAuthorization On >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" >> RequestHeader set X-SSL-CIPHER2 "%{SSL_CLIENT_I_DN}s" >> RequestHeader set X-SSL-CIPHER3 "%{SSL_CLIENT_CERT}s" >> # RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >> # RequestHeader add X-SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e" >> # RequestHeader add X-MYSSL_CLIENT_S_DN >> "fffffooooooooooooooooooooooooooooooooooo" >> # RequestHeader set X-SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e" >> # RequestHeader set X-SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e" >> # RequestHeader set X-SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e" >> # RequestHeader set X-SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" >> >> <directory /apps/flaskapps/helloflask/wsgi-scripts> >> WSGIProcessGroup webtool >> >> SSLOptions +StdEnvVars +ExportCertData >> >> WSGIApplicationGroup %{GLOBAL} >> WSGIScriptReloading On >> Order allow,deny >> Allow from all >> </directory> >> >> Note the bunch of RequestHeader directives. >> >> I originally started with only the 1st two: >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> >> And that worked, i.e., my test Flask app was able to see those headers, and >> dumped out those values. >> >> Then, I added a third one: >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >> >> And bounced the Apache and tested, but I still only saw the first two >> headers :(... >> >> I added the others that you see that are commented out, but still only saw >> the first two headers in Flask. >> >> So, just on a whim, I tried copying the 2nd one, but changing the header >> name slightly. >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" >> >> And when I tested, I saw all 3 headers in Flask. >> >> So I tried changing the name of the third header: >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> RequestHeader set X-SSL-CIPHER1_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >> >> And then I saw only the first two headers in Flask. >> >> Change the third header name back to X-SSL-CIPHER1 and tested again, and saw >> 3 headers. >> >> I don't understand why this is happening. It seems like there is something >> "special" about the header name in the RequestHeader that is preventing the >> Apache sending any other header names? >> >> Any ideas why this might be the case? I have worked with Apache for awhile, >> and with RequestHeader in the past, and I don't recall anything like this. >> >> Thanks, >> Jim >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to modwsgi+u...@googlegroups.com <>. >> To post to this group, send email to mod...@googlegroups.com <>. >> Visit this group at https://groups.google.com/group/modwsgi >> <https://groups.google.com/group/modwsgi>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to modwsgi+unsubscr...@googlegroups.com > <mailto:modwsgi+unsubscr...@googlegroups.com>. > To post to this group, send email to modwsgi@googlegroups.com > <mailto:modwsgi@googlegroups.com>. > Visit this group at https://groups.google.com/group/modwsgi > <https://groups.google.com/group/modwsgi>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+unsubscr...@googlegroups.com. To post to this group, send email to modwsgi@googlegroups.com. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
