A question from HTTPD newbie. So we have an Apache HTTP server (2.4.38) as a SSL termination proxy, forwarding requests to Apache Tomcat behind over AJP. The requirement is to pass a client certificate in a request header without any validations (they appear to be quite complex and thus are performed on the app server).
That's simple and something like the below in Apache configuration will do:
SSLVerifyClient optional_no_ca
SetEnvIf ^X-SSL-certificate$ .+ X_SSL_CERTIFICATE_HEADER_PRESENT
RequestHeader set X-SSL-certificate "%{SSL_CLIENT_CERT}s" env=!X_SSL_CERTIFICATE_HEADER_PRESENT
Now we also have a Swagger UI web page that allows playing with REST API (i.e. is actually doing the same REST API requests from your browser). But with the aforementioned configuration the browser will constantly show "Select certificate" popup, which we want to avoid because he actual certificate doesn't matter here - it's substituted with a fake one on the app server if it sees it's coming from Swagger UI (by analysing the REFERER header which is not very robust solution, I agree).
The only solution I was able to find was to add
SSLCACertificateFile conf/ssl/server.crt
with a fake CA which nobody will ever be able to use as an issuer certificate (in this case it's default certificate coming with Apache). AFAIU SSLCADNRequestFile should have helped here, but somehow it had no effect at all... So you can still provide a PEM/key from e.g. Postman, but the browser won't show the popup because you can't have a certificate that fits.
The ultimate question is, how do I achieve that the right way? Obviously the ugly workaround with a fake SSLCACertificateFile is not how it should be IHMO...
Update #1
Ok, it eventually evolved into the following:
SSLVerifyClient none
SSLOptions +ExportCertData
RequestHeader set X-SSL-certificate ""
<Location ~ "/app-url">
<If "%{HTTP_REFERER} !~ /swagger-ui\.html/">
SSLVerifyClient optional_no_ca
RequestHeader set X-SSL-certificate "%{SSL_CLIENT_CERT}e"
</If>
</Location>
Still looks hackish IMHO, but at least not that ugly. Although people say it won't work with TLS 1.3...
