On Wed, Feb 15, 2017 at 12:46 PM, Daniel Gruno <humbed...@apache.org> wrote:

> On 02/15/2017 11:31 AM, Andrei Ivanov wrote:
> > Hi,
> > I have a requirement to check incoming requests, something that would be
> > succinctly expressed this way:
> >
> > <Location />
> >     Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> > </Location>
> >
> > This would check that the request IP address is among the IP addresses
> > in the client certificate.
> >
> > Unfortunately, this doesn't work:
> > 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
> > mod_nss, which exports it
> > 2. The expression evaluation engine doesn't know how to evaluate this
> > kind of expression
> > 3. I've tried using mod_lua for the expression, but it can't access this
> > kind of environment variables (and the SSL specific only if exposed by
> > mod_ssl, not other modules, like mod_nss)
>
> Have you tried using a rewriterule hack to pass the var?
> RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}]
>
> that would expose it in mod_lua as r.subprocess_env['sanip'], provided
> mod_nss actually exposes it.
>

Good idea, it... almost works (btw, I'm also discussing this topic on the
mod_nss list):

Did a quick index.php with a phpinfo() inside it and this is what I get for
variables:

_SERVER["SSL_CLIENT_SAN_IPaddr_0"]=127.0.0.1
_SERVER["SSL_CLIENT_SAN_IPaddr_1"]=::1
_SERVER["SSL_CLIENT_SAN_IPaddr_2"]=159.107.78.116
_SERVER["SSL_CLIENT_SAN_IPaddr_3"]=fe80::6d03:4ce1:c15f:5a44
_SERVER["SSL_CLIENT_SAN_Email_0"]=<redacted>
_SERVER["SSL_CLIENT_SAN_Email_1"]=<redacted>

So they are present.

But this still only works for emails, not IPs:
RewriteRule .* - [E=san_email:%{SSL:SSL_CLIENT_SAN_Email_0}]
RewriteRule .* - [E=san_ip:%{SSL:SSL_CLIENT_SAN_IPaddr_0}]

And the Lua part:
r:emerg("san_ip: " .. (r.subprocess_env['san_ip'] or "N/A"));
r:emerg("san_email: " .. (r.subprocess_env['san_email'] or "N/A"));

With the associated log:
[Wed Feb 15 18:54:10.357313 2017] [lua:emerg] [pid 19109] [client
159.107.78.116:63474] san_ip:
[Wed Feb 15 18:54:10.357504 2017] [lua:emerg] [pid 19109] [client
159.107.78.116:63474] san_email: <redacted>

Just an empty string for san_ip :-(

I don't know what else to do to debug this and understand why the IP
doesn't get there.


>
> >
> > I have ran out of ideas on what to try.
> >
> > Please help.
> >
> > Thank you.
>
>

Reply via email to