[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modperl
Subject:    RE: Question on how execution order of Mod_Persl
From:       Timothy Gallagher <timothy.gallagher () nuspire ! com>
Date:       2013-02-14 15:48:01
Message-ID: D7EB9FCB1FC7B14286643FC9581AE9D20C58E960 () DC1EXCHANGE ! nuspire ! net
[Download RAW message or body]

André,
Thank you for the response, I was able to find the messages to help me find what I \
was looking for. I appreciate the help.

Thank you,
Tim

Timothy F. Gallagher
Senior SAT Engineer
Nuspire Corporation
www.nuspire.com


-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Wednesday, February 06, 2013 12:42 PM
To: mod_perl list
Subject: Re: Question on how execution order of Mod_Persl

Timothy Gallagher wrote:
> Hello all,
> I have a question for you that I am needed some help/guidance on.  I am not sure if \
> this is a question for Apache, perl or mod_perl, I believe this is the correct \
> place to ask.  I am building a reverse proxy server that authenticates a user via \
> the client SSL certificate that is presented to Apache. 
> When a person connects to https:// alpha.dev.home.com/ssl, they are requested to \
> present a client SSL cert to the server.  Using Mod_Perl, I then get the client \
> certificate information and do some internal processing to verify the user. If the \
> user is good, I want to then continue the request by acting as a reverse proxy \
> servers for internal apache servers. 
> I have all these processes working except not in the correct order.  Here is the \
> order that the items are happening. A user will connect to https:// \
> alpha.dev.home.com/ssl. The user is presented with a request for a client \
> certificate.  When the user presents the certificate, they are then allowed access \
> to the backend (private apache web server). At the same time, mod_perl is \
> processing their client SSL certificate. 
> Am I able to have the dictate the order of how a request in apache with mod_perl I \
> processed meaning 
> 1.       Request comes in
> 
> 2.       Customer needs to present a client SSL certificate
> 
> 3.       Mod_perl takes the client certificate information and processes the \
> information for authentication 
> 4.       Depending the outcome of the authentication process, allow the session to \
> continue or drop the connection. 
> Here is the code that I am using for testing
> -----[Begin Apache Config]-----
> <VirtualHost alpha.dev.home.com>
> # Get the required enviorment
> PerlRequire /opt/perlEngine/startup.pl
> # SSL Requirements
> SSLEngine on
> SSLProtocol +SSLv3 +TLSv1
> SSLCertificateFile /opt/certs/server/alpha@danati.home.com-cert.pem
> SSLCertificateKeyFile /opt/certs/server/alpha@danati.home.com-key.pem
> SSLCACertificateFile /opt/certs/ca/BlackSands-Refereence-CA-cacert.pem
> SSLVerifyClient require
> SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
> 
> <Location /ssl>
> SetHandler perl-script
> PerlResponseHandler MyTest::SSLAuth
> ProxyRequests off
> ProxyPass /ssl http://10.10.10.100
> ProxyPassReverse /ssl http://10.10.10.100
> </Location>
> </VirtualHost>
> -----[End Apache Config]-----
> 
> 
> -----[Begin MyTest::SSLAuth ]-----
> 
> package MyTest::SSLAuth;
> #use Apache2::ModSSL;
> use Apache2::RequestRec ();
> use Apache2::RequestIO ();
> use Digest::SHA qw(sha256_hex);
> use Apache2::Const -compile => qw(OK);
> use Data::Dumper;
> 
> sub handler {
> my $r = shift;
> $r->content_type('text/plain');
> my $c=$r->connection;
> my $cert = $r->subprocess_env('SSL_CLIENT_CERT');
> my $serial = $r->subprocess_env('SSL_CLIENT_M_SERIAL');
> my $dn = $r->subprocess_env('SSL_CLIENT_S_DN');
> my $sig = $r->subprocess_env('SSL_CLIENT_A_SIG');
> if($sig != 89765479){
> ....DoSomthing ......
> }
> return Apache::OK;
> }
> 1;
> -----[End MyTest::SSLAuth ]-----
> 
> 
Hi.
I believe that you may have the same kind of issue that I was having back in December \
2012. Check the archives of this list, for a thread entitled "setHandler question".
Doing authentication and then proxying is a bit tricky.
The good news is that it works in the end, so your scheme is possible.


[prev in list] [next in list] [prev in thread] [next in thread]