Hi, Using your environ.wsgi, if I have:
RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" RequestHeader set X-SSL-CIPHER2 "%{SSL_CLIENT_I_DN}s" RequestHeader set X-SSL-CIPHER3 "%{SSL_CLIENT_CERT}s" The headers with "X_SSL_" I get are: HTTP_X_SSL_CIPHER: HTTP_X_SSL_CIPHER1: HTTP_X_SSL_CIPHER2: HTTP_X_SSL_CIPHER3: [Notice the header names have underscores whereas the header name I had in the httpd-vhosts.conf had dashes ("-"). If I have: RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set X-SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" The only headers with "X_SSL_" I get are: HTTP_X_SSL_CIPHER: HTTP_X_SSL_PROTOCOL: Here is the full output: PID: 5271 UID: 502 GID: 500 CWD: /apps/flaskapps/helloflask/wsgi-scripts STDOUT: <stdout> STDERR: <stderr> ERRORS: <wsgi.errors> python.version: '3.6.3 (default, Nov 9 2017, 19:17:20) \n[GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]' python.prefix: '/apps/python-3.6.3' python.path: ['/apps/flaskapps/helloflask/wsgi-scripts', '/apps/python-3.6.3/lib/python36.zip', '/apps/python-3.6.3/lib/python3.6', '/apps/python-3.6.3/lib/python3.6/lib-dynload', '/apps/python-3.6.3/lib/python3.6/site-packages', '/apps/python-3.6.3/lib/python3.6/site-packages/mod_wsgi-4.5.20-py3.6-linux-x86_64.egg'] apache.version: (2, 2, 29) mod_wsgi.version: (4, 5, 20) mod_wsgi.process_group: webtool mod_wsgi.application_group: mod_wsgi.maximum_processes: 1 mod_wsgi.threads_per_process: 5 mod_wsgi.process_metrics: {'pid': 5271, 'request_count': 0, 'request_busy_time': 0.006062, 'memory_max_rss': 10698752, 'memory_rss': 10702848, 'cpu_user_time': 0.019999999552965164, 'cpu_system_time': 0.0, 'restart_time': 1510648086.068054, 'current_time': 1510648090.617293, 'running_time': 4, 'request_threads': 1, 'active_requests': 1, 'threads': [{'thread_id': 1, 'request_count': 1}]} mod_wsgi.server_metrics: None apache.description: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips DAV/2 mod_wsgi/4.5.20 Python/3.6 apache.build_date: Nov 9 2017 19:12:16 apache.mpm_name: Prefork apache.maximum_processes: 256 apache.threads_per_process: 1 PATH: ['/apps/flaskapps/helloflask/wsgi-scripts', '/apps/python-3.6.3/lib/python36.zip', '/apps/python-3.6.3/lib/python3.6', '/apps/python-3.6.3/lib/python3.6/lib-dynload', '/apps/python-3.6.3/lib/python3.6/site-packages', '/apps/python-3.6.3/lib/python3.6/site-packages/mod_wsgi-4.5.20-py3.6-linux-x86_64.egg'] LANG: en_US.UTF-8 LC_ALL: None sys.getdefaultencoding(): utf-8 sys.getfilesystemencoding(): utf-8 locale.getlocale(): ('en_US', 'UTF-8') locale.getdefaultlocale(): ('en_US', 'UTF-8') locale.getpreferredencoding(): UTF-8 DOCUMENT_ROOT: '/apps/httpd-2.2.29/htdocs' GATEWAY_INTERFACE: 'CGI/1.1' HTTP_ACCEPT: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' HTTP_ACCEPT_ENCODING: 'gzip, deflate, br' HTTP_ACCEPT_LANGUAGE: 'en-US,en;q=0.5' HTTP_CACHE_CONTROL: 'max-age=0' HTTP_CONNECTION: 'keep-alive' HTTP_HOST: 'apache3.whatever.com:8443' HTTP_UPGRADE_INSECURE_REQUESTS: '1' HTTP_USER_AGENT: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0' HTTP_X_SSL_CIPHER: 'ECDHE-RSA-AES128-GCM-SHA256' HTTP_X_SSL_PROTOCOL: 'TLSv1.2' PATH_INFO: '/' PATH_TRANSLATED: '/apps/flaskapps/helloflask/wsgi-scripts/environ.wsgi/' QUERY_STRING: '' REMOTE_ADDR: '192.168.2.51' REMOTE_PORT: '57238' REQUEST_METHOD: 'GET' REQUEST_URI: '/' SCRIPT_FILENAME: '/apps/flaskapps/helloflask/wsgi-scripts/environ.wsgi' SCRIPT_NAME: '' SERVER_ADDR: '192.168.2.144' SERVER_ADMIN: 'y...@example.com' SERVER_NAME: 'apache3.whatever.com' SERVER_PORT: '8443' SERVER_PROTOCOL: 'HTTP/1.1' SERVER_SIGNATURE: '' SERVER_SOFTWARE: 'Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips DAV/2 mod_wsgi/4.5.20 Python/3.6' SSL_CIPHER: 'ECDHE-RSA-AES128-GCM-SHA256' SSL_CIPHER_ALGKEYSIZE: '128' SSL_CIPHER_EXPORT: 'false' SSL_CIPHER_USEKEYSIZE: '128' SSL_CLIENT_A_KEY: 'rsaEncryption' SSL_CLIENT_A_SIG: 'sha256WithRSAEncryption' SSL_CLIENT_CERT: '-----BEGIN CERTIFICATE-----\nMIIDZDCCAkygAwIBAgIGAV+ovfDtMA0GCSqGSIb3DQEBCwUAMEkxCzAJBgNVBAYT\. . . \nbcfp/R/I7A6sAVlIS9BLgCU0ULqCKy91pwVyaUJpfaPg0LXcCKmJ5+u7NgZqa2KX\nEEbdXVjfG5yempsOqaiF7/RKZwfxM1+q2PBysUGIVts6NCGFHEsmAEOH6nTapwLf\nBUoizHvJXzA=\n-----END CERTIFICATE-----\n' SSL_CLIENT_I_DN: '/C=US/O=simplecao/OU=simplecaou/CN=simpleca' SSL_CLIENT_I_DN_C: 'US' SSL_CLIENT_I_DN_CN: 'simpleca' SSL_CLIENT_I_DN_O: 'simplecao' SSL_CLIENT_I_DN_OU: 'simplecaou' SSL_CLIENT_M_SERIAL: '015FA8BDF0ED' SSL_CLIENT_M_VERSION: '3' SSL_CLIENT_S_DN: '/C=US/CN=XXXXXX' SSL_CLIENT_S_DN_C: 'US' SSL_CLIENT_S_DN_CN: 'XXXXXX' SSL_CLIENT_VERIFY: 'SUCCESS' SSL_CLIENT_V_END: 'May 4 01:42:21 2023 GMT' SSL_CLIENT_V_REMAIN: '1997' SSL_CLIENT_V_START: 'Nov 11 01:42:21 2017 GMT' SSL_COMPRESS_METHOD: 'NULL' SSL_PROTOCOL: 'TLSv1.2' SSL_SECURE_RENEG: 'true' SSL_SERVER_A_KEY: 'rsaEncryption' SSL_SERVER_A_SIG: 'sha256WithRSAEncryption' SSL_SERVER_CERT: '-----BEGIN CERTIFICATE-----\nMIIDijCCAnKgAwIBAgIGAV+opXRrMA0GCSqGSIb3DQEBCwUAMEkxCzAJBgNVBAYT. . . . \nwaGkjK2v4bAib8jakrudJfWBdFURfYbiYMzYw8pj5NHuJ8sl25V1n09bLv1aTw==\n-----END CERTIFICATE-----\n' SSL_SERVER_I_DN: '/C=US/O=simplecao/OU=simplecaou/CN=simpleca' SSL_SERVER_I_DN_C: 'US' SSL_SERVER_I_DN_CN: 'simpleca' SSL_SERVER_I_DN_O: 'simplecao' SSL_SERVER_I_DN_OU: 'simplecaou' SSL_SERVER_M_SERIAL: '015FA8A5746B' SSL_SERVER_M_VERSION: '3' SSL_SERVER_S_DN: '/C=US/CN=apache2.whatever.com' SSL_SERVER_S_DN_C: 'US' SSL_SERVER_S_DN_CN: 'apache2.whatever.com' SSL_SERVER_V_END: 'May 24 01:15:38 2021 GMT' SSL_SERVER_V_START: 'Nov 11 01:15:36 2017 GMT' SSL_TLS_SNI: 'apache3.whatever.com' SSL_VERSION_INTERFACE: 'mod_ssl/2.2.29' SSL_VERSION_LIBRARY: 'OpenSSL/1.0.1e-fips' UNIQUE_ID: 'WgqpGsCoApAAABSaB4AAAAAC' apache.version: (2, 2, 29) mod_wsgi.application_group: '' mod_wsgi.callable_object: 'application' mod_wsgi.daemon_connects: '1' mod_wsgi.daemon_restarts: '0' mod_wsgi.daemon_start: '1510648090610672' mod_wsgi.enable_sendfile: '0' mod_wsgi.handler_script: '' mod_wsgi.ignore_activity: '0' mod_wsgi.listener_host: '' mod_wsgi.listener_port: '8443' mod_wsgi.path_info: '/' mod_wsgi.process_group: 'webtool' mod_wsgi.queue_start: '1510648090610136' mod_wsgi.request_handler: 'wsgi-script' mod_wsgi.request_start: '1510648090609673' mod_wsgi.script_name: '' mod_wsgi.script_reloading: '1' mod_wsgi.script_start: '1510648090616973' mod_wsgi.thread_id: 1 mod_wsgi.thread_requests: 0 mod_wsgi.total_requests: 0 mod_wsgi.version: (4, 5, 20) wsgi.errors: <_io.TextIOWrapper name='<wsgi.errors>' encoding='utf-8'> wsgi.file_wrapper: <class 'mod_wsgi.FileWrapper'> wsgi.input: <mod_wsgi.Input object at 0x7f18c377cab0> wsgi.multiprocess: False wsgi.multithread: True wsgi.run_once: False wsgi.url_scheme: 'https' wsgi.version: (1, 0) CVS_RSH: 'ssh' G_BROKEN_FILENAMES: '1' HISTCONTROL: 'ignoredups' HISTSIZE: '1000' HOME: '/home/oracle' HOSTNAME: 'apache3.whatever.com' LANG: 'en_US.UTF-8' LD_LIBRARY_PATH: '/apps/httpd-2.2.29/lib' LESSOPEN: '||/usr/bin/lesspipe.sh %s' LOGNAME: 'oracle' LS_COLORS: 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:' MAIL: '/var/spool/mail/oracle' PATH: '/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/oracle/bin' PWD: '/apps/flaskapps/helloflask/wsgi-scripts' QTDIR: '/usr/lib64/qt-3.3' QTINC: '/usr/lib64/qt-3.3/include' QTLIB: '/usr/lib64/qt-3.3/lib' SHELL: '/bin/bash' SHLVL: '2' SSH_ASKPASS: '/usr/libexec/openssh/gnome-ssh-askpass' TERM: 'xterm' USER: 'oracle' _: '/apps/httpd-2.2.29/bin/httpd' So it seems like mod_wsgi is passing the default headers but my app/code wasn't retrieving them correctly in my Flask app, but I am still not clear why the RequestHeaders directives don't seem to be working correctly in all cases? On Saturday, November 11, 2017 at 3:39:40 PM UTC-5, Graham Dumpleton wrote: > > Can you use the test program at: > > https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/tests/environ.wsgi > > behind your configuration and provide what it responds with back in the > browser. > > Change any values you think may be sensitive. It will be mainly the keys > rather than values am interested in. > > Graham > > On 12 Nov 2017, at 1:31 am, O haya <jim...@gmail.com <javascript:>> wrote: > > Hi Graham, > > FYI, I am going to be in-transit to another location in a bit, so I will > be slow to respond probably until tomorrow. > > > On Saturday, November 11, 2017 at 9:21:26 AM UTC-5, O haya wrote: >> >> Hi, >> >> I already have the SSLOptions +StdEnvVars in the virtualhost and was not >> seeing the SSL_ headers. That was why I started trying to add the >> RequestHeaders. >> >> Thanks, >> Jim >> >> On Saturday, November 11, 2017 at 4:05:08 AM UTC-5, Graham Dumpleton >> wrote: >>> >>> Why fiddle with RequestHeader and using headers. The directive: >>> >>> SSLOptions +StdEnvVars >>> >>> should result in them being passed through in the WSGI environ >>> dictionary already. >>> >>> Graham >>> >>> >>> On 11 Nov 2017, at 4:03 pm, O haya <jim...@gmail.com> wrote: >>> >>> Hi, >>> >>> I built mod_wsgi using Python 3.6.3 and also with Apache 2.2.29. The >>> Apache is configured for client-authenticated SSL, and I am trying to >>> configure Apache to pass some of the SSL_ variables to a small test Flask >>> application and I am having difficulty getting this working. >>> >>> Here is the VirtualHost: >>> >>> <VirtualHost *:8443> >>> Servername apache.whatever.com >>> . >>> . >>> . >>> >>> >>> WSGIDaemonProcess webtool user=myuser group=mygroup threads=5 >>> home=/apps/flaskapps/helloflask/wsgi-scripts >>> WSGIScriptAlias / >>> /apps/flaskapps/helloflask/wsgi-scripts/webtool.wsgi >>> >>> # From: >>> https://stackoverflow.com/questions/20940651/how-to-access-apache-basic-authentication-user-in-flask >>> # WSGIPassAuthorization On >>> >>> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >>> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >>> RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" >>> RequestHeader set X-SSL-CIPHER2 "%{SSL_CLIENT_I_DN}s" >>> RequestHeader set X-SSL-CIPHER3 "%{SSL_CLIENT_CERT}s" >>> # RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >>> # RequestHeader add X-SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e" >>> # RequestHeader add X-MYSSL_CLIENT_S_DN >>> "fffffooooooooooooooooooooooooooooooooooo" >>> # RequestHeader set X-SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e" >>> # RequestHeader set X-SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e" >>> # RequestHeader set X-SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e" >>> # RequestHeader set X-SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" >>> >>> <directory /apps/flaskapps/helloflask/wsgi-scripts> >>> WSGIProcessGroup webtool >>> >>> SSLOptions +StdEnvVars +ExportCertData >>> >>> WSGIApplicationGroup %{GLOBAL} >>> WSGIScriptReloading On >>> Order allow,deny >>> Allow from all >>> </directory> >>> >>> Note the bunch of RequestHeader directives. >>> >>> I originally started with only the 1st two: >>> >>> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >>> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >>> >>> And that worked, i.e., my test Flask app was able to see those headers, >>> and dumped out those values. >>> >>> Then, I added a third one: >>> >>> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >>> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >>> RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >>> >>> And bounced the Apache and tested, but I still only saw the first two >>> headers :(... >>> >>> I added the others that you see that are commented out, but still only >>> saw the first two headers in Flask. >>> >>> So, just on a whim, I tried copying the 2nd one, but changing the header >>> name slightly. >>> >>> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >>> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >>> RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" >>> >>> And when I tested, I saw all 3 headers in Flask. >>> >>> So I tried changing the name of the third header: >>> >>> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >>> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >>> RequestHeader set X-SSL-CIPHER1_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >>> >>> And then I saw only the first two headers in Flask. >>> >>> Change the third header name back to X-SSL-CIPHER1 and tested again, and >>> saw 3 headers. >>> >>> I don't understand why this is happening. It seems like there is >>> something "special" about the header name in the RequestHeader that is >>> preventing the Apache sending any other header names? >>> >>> Any ideas why this might be the case? I have worked with Apache for >>> awhile, and with RequestHeader in the past, and I don't recall anything >>> like this. >>> >>> Thanks, >>> Jim >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "modwsgi" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to modwsgi+u...@googlegroups.com. >>> To post to this group, send email to mod...@googlegroups.com. >>> Visit this group at https://groups.google.com/group/modwsgi. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to modwsgi+u...@googlegroups.com <javascript:>. > To post to this group, send email to mod...@googlegroups.com <javascript:> > . > Visit this group at https://groups.google.com/group/modwsgi. > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+unsubscr...@googlegroups.com. To post to this group, send email to modwsgi@googlegroups.com. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.