Apache mod_ssl Modifying Environment Variable (stripping value)

Question

Currently, I'm doing the following in httpd.conf to set X-Client-Subject-CN

RequestHeader set X-Client-Subject-CN %{SSL_CLIENT_SAN_OTHER_msUPN_0}s

This works, and the X-Client-Subject-CN is set to my User Principal Name (UPN) from my cert in format "12345678@abc"

However, I need it to just be set as "12345678". What is the best way to strip the @domain portion of the Principal Name coming from the mod_ssl Environment Variable SSL_CLIENT_SAN_OTHER_msUPN_0?

I've tried using mod_rewrite to set a new environment variable based on regex, but don't think I'm doing this correctly:

RewriteCond  %{SSL_CLIENT_SAN_OTHER_msUPN_0}  ^.*
RewriteRule  ([^@abc]*) [E=USER_NAME:$1]
        
RequestHeader set X-Client-Subject-CN %{USER_NAME}

score 0 · Answer 1 · answered Dec 08 '22 at 02:22

I figured out how to do this in another way:

Instead of using Rewrite rules, I found the RequestHeader edit functionality from here:

https://serverfault.com/questions/526655/how-do-i-create-a-custom-header-from-an-existing-ssl-environment-variable

Full solution I used:

RequestHeader set X-Client-Subject-CN %{SSL_CLIENT_SAN_OTHER_msUPN_0}s
RequestHeader edit X-Client-Subject-CN ([^-]*)@(.*) $1

So I set the X-Client-Subject-CN header to the full value (12345678@abc), then I edit the X-Client-Subject-CN header and use the regular expression to grab the value before the @.

Apache mod_ssl Modifying Environment Variable (stripping value)

1 Answers1