Thanks Madhu, I will definitively try this. I normally use 2.0.49. As I need to have something to go in a production environment, I suppose it's a bit early to try 2.1.
If I understood correctly, with that patch I will be able to use Header SSL_REMOTE_CLIENT_S_DN %{SSL_CLIENT_S_DN}e The back-end server (as apache is used here as a proxy) will then receive the header "SSL_REMOTE_CLIENT_S_DN". This should work even if I use SSL between the proxy and the back-end server - in this case, the back-end will receive the proxy DN in the header "SSL_CLIENT_S_DN". Marc ----- Original Message ----- From: "Mathihalli, Madhusudan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 14, 2004 6:20 PM Subject: RE: SSL_CLIENT_S_DN and proxy Hi Marc, If you're using httpd-2.1, did you already try something like below ? -Madhu Index: mod_headers.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/metadata/mod_headers.c,v retrieving revision 1.59 diff -u -r1.59 mod_headers.c --- mod_headers.c 18 Apr 2004 20:26:07 -0000 1.59 +++ mod_headers.c 14 May 2004 16:19:44 -0000 @@ -138,6 +138,7 @@ /* Pointer to ssl_var_lookup, if available. */ static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *header_ssl_lookup = NULL; +static const char *header_request_ssl_var(request_rec *r, char *name); /* * Tag formatting functions @@ -176,6 +177,10 @@ static const char *header_request_env_var(request_rec *r, char *a) { const char *s = apr_table_get(r->subprocess_env,a); + + if (s == NULL) { + s = header_request_ssl_var(r, a); + } if (s) return unwrap_header(r->pool, s); >-----Original Message----- >From: Marc Stern [mailto:[EMAIL PROTECTED] >Sent: Wednesday, May 12, 2004 11:35 PM >To: [EMAIL PROTECTED] >Subject: Re: SSL_CLIENT_S_DN and proxy > > >From what I understand - and it seems confirmed by the test I >made - the header is modified (created) before Apache >populates the value. I tried with the header HTTP_HOST >"RequestHeader set X-HOST %{HTTP_HOST}e)", and the header is >created, but empty. > >Is the same feature available, but at the end of the treatment ? > >Marc > >----- Original Message ----- >From: "Joe Orton" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Wednesday, May 12, 2004 3:27 PM >Subject: Re: SSL_CLIENT_S_DN and proxy > > >> On Wed, May 12, 2004 at 01:09:03PM +0200, Marc Stern wrote: >> > When using Apache as a proxy: >> > ( brower --https--> Apache + mod_proxy --https--> >Web server ) >> > the Web server never receives the user's certificate info, because >> > only >the >> > proxy is seen by the Web server. That means that all headers >SSL_CLIENT_* >> > contain the proxy certificate info, not the user certificate info. >> > >> > Is there a way to get the user's certificate info ? >> >> On the proxy use, e.g.: >> >> SSLOptions +StdEnvVars >> RequestHeader set X-Foo %{SSL_CLIENT_S_DN}e >> >> and the client DN is passed through to the backend in the X-Foo >> header. >> >> joe >> >