[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nginx
Subject:    Header SSL client certificate
From:       "Equipe R&S Netplus" <netplus.root () gmail ! com>
Date:       2014-12-29 16:26:51
Message-ID: CAGeXBwM=u5RQ_iR64Hhe4qd8j0zULvzqrRs1Svuv1nLhtYmUow () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello,

I use nginx as a reverse-proxy.
I would like to set a header, more precisely a header that contain the SSL
client certificate.
However, the variable '$ssl_client_cert' add some character that I don't
want (like tab characters)

<<
proxy_set_header        X-SSL-CLI-CERT       $ssl_client_cert;
>>

I test with '$ssl_client_raw_cert', but the webserver in backend (here
apache) doesn't understand the certificate and return this :

<<
request failed: error reading the headers
>>

I see a previous post mentionning a workarount with 'map' (
http://forum.nginx.org/read.php?2,236546,236546) :

<<
map $ssl_client_raw_cert $a {
"~^(-.*-\n)(?<1st>[^\n]+)\n((?<b>[^\n]+)\n)?((?<c>[^\n]+)\n)?((?<d>[^\n]+)\=
n)?((?<e>[^\n]+)\n)?((?<f>[^\n]+)\n)?((?<g>[^\n]+)\n)?((?<h>[^\n]+)\n)?((?<=
i>[^\n]+)\n)?((?<j>[^\n]+)\n)?((?<k>[^\n]+)\n)?((?<l>[^\n]+)\n)?((?<m>[^\n]=
+)\n)?((?<n>[^\n]+)\n)?((?<o>[^\n]+)\n)?((?<p>[^\n]+)\n)?((?<q>[^\n]+)\n)?(=
(?<r>[^\n]+)\n)?((?<s>[^\n]+)\n)?((?<t>[^\n]+)\n)?((?<v>[^\n]+)\n)?((?<u>[^=
\n]+)\n)?((?<w>[^\n]+)\n)?((?<x>[^\n]+)\n)?((?<y>[^\n]+)\n)?((?<z>[^\n]+)\n=
)?(-.*-)$"
$1st;
}
>>

But in debug log file of nginx, I have an error :

<<
[alert] 19820#0: *21 pcre_exec() failed: -8 on "
...
CERTIFICATE CONTENT
...
" using "^(-.*-
)(?<1st>[^
...
>>

I'm using nginx version 1.6.2, do you know another workaround please ?

Thank you.

[Attachment #5 (text/html)]

<div dir="ltr"><div><div><div><div><div>Hello,<br><br>I use nginx as a \
reverse-proxy.<br>I would like to set a header, more precisely a header that contain \
the SSL client certificate.<br></div>However, the variable &#39;$ssl_client_cert&#39; \
add some character that I don&#39;t want (like tab \
characters)<br><br>&lt;&lt;<br>proxy_set_header               X-SSL-CLI-CERT          \
$ssl_client_cert;<br>&gt;&gt;<br><br></div>I test with \
&#39;$ssl_client_raw_cert&#39;, but the webserver in backend (here apache) \
doesn&#39;t understand the certificate and return this :<br><br>&lt;&lt;<br>request \
failed: error reading the headers<br>&gt;&gt;<br><br></div>I see a previous post \
mentionning a workarount with &#39;map&#39; (<a \
href="http://forum.nginx.org/read.php?2,236546,236546">http://forum.nginx.org/read.php?2,236546,236546</a>) \
:<br><br>&lt;&lt;<br>map $ssl_client_raw_cert $a \
{<br>&quot;~^(-.*-\n)(?&lt;1st&gt;[^\n]+)\n((?&lt;b&gt;[^\n]+)\n)?((?&lt;c&gt;[^\n]+)\ \
n)?((?&lt;d&gt;[^\n]+)\n)?((?&lt;e&gt;[^\n]+)\n)?((?&lt;f&gt;[^\n]+)\n)?((?&lt;g&gt;[^ \
\n]+)\n)?((?&lt;h&gt;[^\n]+)\n)?((?&lt;i&gt;[^\n]+)\n)?((?&lt;j&gt;[^\n]+)\n)?((?&lt;k \
&gt;[^\n]+)\n)?((?&lt;l&gt;[^\n]+)\n)?((?&lt;m&gt;[^\n]+)\n)?((?&lt;n&gt;[^\n]+)\n)?(( \
?&lt;o&gt;[^\n]+)\n)?((?&lt;p&gt;[^\n]+)\n)?((?&lt;q&gt;[^\n]+)\n)?((?&lt;r&gt;[^\n]+) \
\n)?((?&lt;s&gt;[^\n]+)\n)?((?&lt;t&gt;[^\n]+)\n)?((?&lt;v&gt;[^\n]+)\n)?((?&lt;u&gt;[ \
^\n]+)\n)?((?&lt;w&gt;[^\n]+)\n)?((?&lt;x&gt;[^\n]+)\n)?((?&lt;y&gt;[^\n]+)\n)?((?&lt;z&gt;[^\n]+)\n)?(-.*-)$&quot;
  $1st;<br>}<br>&gt;&gt;<br><br></div>But in debug log file of nginx, I have an error \
:<br><br>&lt;&lt;<br>[alert] 19820#0: *21 pcre_exec() failed: -8 on \
&quot;<br>...<br></div>CERTIFICATE CONTENT<br><div>...<br>&quot; using \
&quot;^(-.*-<br>)(?&lt;1st&gt;[^<br>...<br>&gt;&gt;<br><div><br></div><div>I&#39;m \
using nginx version 1.6.2, do you know another workaround please \
?<br><br></div><div>Thank you.<br><br></div></div></div>



_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic