With apache2.4 I can do it with:
<If "%{QUERY_STRING} =~ /module=PKI/">
RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
SSLVerifyDepth 10
SSLVerifyClient require
<Else>
RequestHeader set X-Client-Cert ""
</If>
سؤال
Cert-based authentication in OpenAM need to set http header X-Client-Cert. I want use apache as reverse proxy and to set this header, when url is /openam/UI/Login?module=PKI.
/openam/UI/Login is for username and password authentication.
I have this configuration:
...
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
RequestHeader set X-Client-Cert ""
<Location "/openam/UI/Login/PKI">
RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
SSLVerifyDepth 10
SSLVerifyClient require
</Location>
RewriteRule /openam/UI/Login/PKI balancer://mycluster/openam/UI/Login?module=PKI [P]
...
and it can do the trick, but the cost is rewrite of /openam/UI/Login?module=PKI to /openam/UI/Login/PKI and I don't like it.
Can you advice me how to do it without this rewrite?
Thanks.
المحلول
With apache2.4 I can do it with:
<If "%{QUERY_STRING} =~ /module=PKI/">
RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
SSLVerifyDepth 10
SSLVerifyClient require
<Else>
RequestHeader set X-Client-Cert ""
</If>
نصائح أخرى
I think this is possible using a combination of SetEnvIf
and RequestHeader
.
Use SetEnvIf
to set a variable indicating that the URI is for the right path:
SetEnvIf Request_URI "/openam/UI/Login?module=PKI" x_client_cert=1
And use the optional env=[!]variable
parameter to RequestHeader
:
RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s" x_client_cert=1
I've probably got the syntax slightly wrong -- in particular possibly the escaping and format of the second (URI) parameter to SetEnvIf, but this approach should work.
Documentation links:
http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader