As I was reading old documentation, I did not find what I was looking for at 
the first time. Lauri from #linux.ee, thank you. :)


SetEnvIf SSL_CLIENT_CERT "(..*)" SSL_CLIENT_CERT=$1 


Br,
Margus Pärt
 

-----Original Message-----
From: Margus Pärt 
Sent: Thursday, July 22, 2010 6:23 PM
To: 'users@httpd.apache.org'
Subject: SetEnvIf, setting value from other env value

Hi,

-

I have Apache nodes behind Apache LB and I try to get SSL_* values 
transparently to application, queries go:

Client -> Apache LB -> Apache

-

My currenty tested and working solution is as follows:

LB:
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT

Apache:
RewriteEngine On
RewriteRule .* - [E=SSL_CLIENT_CERT:%{HTTP:SSL_CLIENT_CERT}]


-

But I would like to have following solution (or something similar and 
working:)):

SetEnvIfNoCase SSL_CLIENT_CERT ^.. SSL_CLIENT_CERT=%{HTTP:SSL_CLIENT_CERT}


Please answer to:

1. Problem with currently working solution is that every virtualhost has to 
have RewriteEngine On and RewriteOptions inherit, SetEnvIf would be much 
cleaner and, as I see it, faster, but it does not work - from looking at 
documentation (http://httpd.apache.org/docs/2.1/mod/mod_setenvif.html) it seems 
that variables there are not supported - so my question is, can anyone suggest 
a better solution, and perhaps refer to any good documentation (apache's own 
documentation is good, but sometimes it does not cover all the scenarios.)

2. How it is good practice to do SSL offloading, application themselves should 
be smart enough to read from headers? I noticed, that for example for 
mod_weblogic headers must not be separately sent using mod_headers - 
mod_weblogic takes SSL parameters from local env, sends them in its own format 
to backend and SSL_CLIENT_CERT are available for application also - is there 
any other similar alternative for just plain HTTP proxying for Apache?




Best regards,
Margus Pärt

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to