Hi,
-
I have Apache nodes behind Apache LB and I try to get SSL_* values
transparently to application, queries go:
Client -> Apache LB -> Apache
-
My currenty tested and working solution is as follows:
LB:
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
Apache:
RewriteEngine On
RewriteRule .* - [E=SSL_CLIENT_CERT:%{HTTP:SSL_CLIENT_CERT}]
-
But I would like to have following solution (or something similar and
working:)):
SetEnvIfNoCase SSL_CLIENT_CERT ^.. SSL_CLIENT_CERT=%{HTTP:SSL_CLIENT_CERT}
Please answer to:
1. Problem with currently working solution is that every virtualhost has to
have RewriteEngine On and RewriteOptions inherit, SetEnvIf would be much
cleaner and, as I see it, faster, but it does not work - from looking at
documentation (http://httpd.apache.org/docs/2.1/mod/mod_setenvif.html) it seems
that variables there are not supported - so my question is, can anyone suggest
a better solution, and perhaps refer to any good documentation (apache's own
documentation is good, but sometimes it does not cover all the scenarios.)
2. How it is good practice to do SSL offloading, application themselves should
be smart enough to read from headers? I noticed, that for example for
mod_weblogic headers must not be separately sent using mod_headers -
mod_weblogic takes SSL parameters from local env, sends them in its own format
to backend and SSL_CLIENT_CERT are available for application also - is there
any other similar alternative for just plain HTTP proxying for Apache?
Best regards,
Margus Pärt
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
