Set up apache proxy with openAM cert auth - set header if GET parameter is present

Question

Cert-based authentication in OpenAM need to set http header X-Client-Cert. I want use apache as reverse proxy and to set this header, when url is /openam/UI/Login?module=PKI.

/openam/UI/Login is for username and password authentication.

I have this configuration:

...
  ProxyPass / balancer://mycluster/ 
  ProxyPassReverse / balancer://mycluster/ 

  RequestHeader set X-Client-Cert ""

  <Location "/openam/UI/Login/PKI">
    RequestHeader set X-Client-Cert  "%{SSL_CLIENT_CERT}s"
    SSLVerifyDepth 10
    SSLVerifyClient require
  </Location>

  RewriteRule /openam/UI/Login/PKI balancer://mycluster/openam/UI/Login?module=PKI [P]
...

and it can do the trick, but the cost is rewrite of /openam/UI/Login?module=PKI to /openam/UI/Login/PKI and I don't like it.

Can you advice me how to do it without this rewrite?

Thanks.

Answer 1

With apache2.4 I can do it with:

<If "%{QUERY_STRING} =~ /module=PKI/">
    RequestHeader set X-Client-Cert  "%{SSL_CLIENT_CERT}s"
    SSLVerifyDepth 10
    SSLVerifyClient require
<Else>
    RequestHeader set X-Client-Cert ""
</If>

Answer 2

I think this is possible using a combination of SetEnvIf and RequestHeader.

Use SetEnvIf to set a variable indicating that the URI is for the right path:

SetEnvIf Request_URI "/openam/UI/Login?module=PKI" x_client_cert=1

And use the optional env=[!]variable parameter to RequestHeader:

RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s" x_client_cert=1

I've probably got the syntax slightly wrong -- in particular possibly the escaping and format of the second (URI) parameter to SetEnvIf, but this approach should work.

Documentation links:

http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif

http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader