[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-modperl
Subject: RE: Question on how execution order of Mod_Persl
From: Timothy Gallagher <timothy.gallagher () nuspire ! com>
Date: 2013-02-14 15:48:01
Message-ID: D7EB9FCB1FC7B14286643FC9581AE9D20C58E960 () DC1EXCHANGE ! nuspire ! net
[Download RAW message or body]
André,
Thank you for the response, I was able to find the messages to help me find what I \
was looking for. I appreciate the help.
Thank you,
Tim
Timothy F. Gallagher
Senior SAT Engineer
Nuspire Corporation
www.nuspire.com
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Wednesday, February 06, 2013 12:42 PM
To: mod_perl list
Subject: Re: Question on how execution order of Mod_Persl
Timothy Gallagher wrote:
> Hello all,
> I have a question for you that I am needed some help/guidance on. I am not sure if \
> this is a question for Apache, perl or mod_perl, I believe this is the correct \
> place to ask. I am building a reverse proxy server that authenticates a user via \
> the client SSL certificate that is presented to Apache.
> When a person connects to https:// alpha.dev.home.com/ssl, they are requested to \
> present a client SSL cert to the server. Using Mod_Perl, I then get the client \
> certificate information and do some internal processing to verify the user. If the \
> user is good, I want to then continue the request by acting as a reverse proxy \
> servers for internal apache servers.
> I have all these processes working except not in the correct order. Here is the \
> order that the items are happening. A user will connect to https:// \
> alpha.dev.home.com/ssl. The user is presented with a request for a client \
> certificate. When the user presents the certificate, they are then allowed access \
> to the backend (private apache web server). At the same time, mod_perl is \
> processing their client SSL certificate.
> Am I able to have the dictate the order of how a request in apache with mod_perl I \
> processed meaning
> 1. Request comes in
>
> 2. Customer needs to present a client SSL certificate
>
> 3. Mod_perl takes the client certificate information and processes the \
> information for authentication
> 4. Depending the outcome of the authentication process, allow the session to \
> continue or drop the connection.
> Here is the code that I am using for testing
> -----[Begin Apache Config]-----
> <VirtualHost alpha.dev.home.com>
> # Get the required enviorment
> PerlRequire /opt/perlEngine/startup.pl
> # SSL Requirements
> SSLEngine on
> SSLProtocol +SSLv3 +TLSv1
> SSLCertificateFile /opt/certs/server/alpha@danati.home.com-cert.pem
> SSLCertificateKeyFile /opt/certs/server/alpha@danati.home.com-key.pem
> SSLCACertificateFile /opt/certs/ca/BlackSands-Refereence-CA-cacert.pem
> SSLVerifyClient require
> SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
>
> <Location /ssl>
> SetHandler perl-script
> PerlResponseHandler MyTest::SSLAuth
> ProxyRequests off
> ProxyPass /ssl http://10.10.10.100
> ProxyPassReverse /ssl http://10.10.10.100
> </Location>
> </VirtualHost>
> -----[End Apache Config]-----
>
>
> -----[Begin MyTest::SSLAuth ]-----
>
> package MyTest::SSLAuth;
> #use Apache2::ModSSL;
> use Apache2::RequestRec ();
> use Apache2::RequestIO ();
> use Digest::SHA qw(sha256_hex);
> use Apache2::Const -compile => qw(OK);
> use Data::Dumper;
>
> sub handler {
> my $r = shift;
> $r->content_type('text/plain');
> my $c=$r->connection;
> my $cert = $r->subprocess_env('SSL_CLIENT_CERT');
> my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL');
> my $dn = $r->subprocess_env('SSL_CLIENT_S_DN');
> my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG');
> if($sig != 89765479){
> ....DoSomthing ......
> }
> return Apache::OK;
> }
> 1;
> -----[End MyTest::SSLAuth ]-----
>
>
Hi.
I believe that you may have the same kind of issue that I was having back in December \
2012. Check the archives of this list, for a thread entitled "setHandler question".
Doing authentication and then proxying is a bit tricky.
The good news is that it works in the end, so your scheme is possible.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic