Preserve X509 client cert data from apache2 reverse proxy to jetty

Question

I am not able to receive on jetty-9.3.14 the X509 client cert data which are submitted to apache2 and forwarded via ProxyPass directive.

<Location /X509>
    SSLVerifyClient require
    SSLVerifyDepth 5
    SSLOptions -StdEnvVars +ExportCertData
# most of the followings are useless 
    RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
    RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
    RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
    RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
    RequestHeader set SSL_CLIENT_V_START "%{SSL_CLIENT_V_START}s"
    RequestHeader set SSL_CLIENT_V_END "%{SSL_CLIENT_V_END}s"
    RequestHeader set SSL_CLIENT_M_VERSION "%{SSL_CLIENT_M_VERSION}s"
    RequestHeader set SSL_CLIENT_M_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
    RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
    RequestHeader set SSL_SERVER_M_VERSION "%{SSL_SERVER_M_VERSION}s"
    RequestHeader set SSL_SERVER_I_DN "%{SSL_SERVER_I_DN}s"
    RequestHeader set SSL_SERVER_CERT "%{SSL_SERVER_CERT}s"
</Location>

The above location on apache2 is effective in requiring X509 client cert to user, but these information are not forwarded to jetty.

score 0 · Answer 1 · answered Jan 20 '17 at 09:19

I think it is not doable. As Jetty-9.3 does not support mod_ajp, apache2 needs to proxy request on proxy_http, that is, of course, a http channel.

X509 user cert data is "peeled off" when passing from https from http.

That's all.

The maximum you can do is to turn the SSLContext data into HTTP headers and then trust the headers with some custom logic.

Preserve X509 client cert data from apache2 reverse proxy to jetty

1 Answers1