Hi,
I built mod_wsgi using Python 3.6.3 and also with Apache 2.2.29. The
Apache is configured for client-authenticated SSL, and I am trying to
configure Apache to pass some of the SSL_ variables to a small test Flask
application and I am having difficulty getting this working.
Here is the VirtualHost:
<VirtualHost *:8443>
Servername apache.whatever.com
.
.
.
WSGIDaemonProcess webtool user=myuser group=mygroup threads=5
home=/apps/flaskapps/helloflask/wsgi-scripts
WSGIScriptAlias / /apps/flaskapps/helloflask/wsgi-scripts/webtool.wsgi
# From:
https://stackoverflow.com/questions/20940651/how-to-access-apache-basic-authentication-user-in-flask
# WSGIPassAuthorization On
RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s"
RequestHeader set X-SSL-CIPHER2 "%{SSL_CLIENT_I_DN}s"
RequestHeader set X-SSL-CIPHER3 "%{SSL_CLIENT_CERT}s"
# RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
# RequestHeader add X-SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
# RequestHeader add X-MYSSL_CLIENT_S_DN
"fffffooooooooooooooooooooooooooooooooooo"
# RequestHeader set X-SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
# RequestHeader set X-SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e"
# RequestHeader set X-SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e"
# RequestHeader set X-SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
<directory /apps/flaskapps/helloflask/wsgi-scripts>
WSGIProcessGroup webtool
SSLOptions +StdEnvVars +ExportCertData
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
Order allow,deny
Allow from all
</directory>
Note the bunch of RequestHeader directives.
I originally started with only the 1st two:
RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
And that worked, i.e., my test Flask app was able to see those headers, and
dumped out those values.
Then, I added a third one:
RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
And bounced the Apache and tested, but I still only saw the first two
headers :(...
I added the others that you see that are commented out, but still only saw
the first two headers in Flask.
So, just on a whim, I tried copying the 2nd one, but changing the header
name slightly.
RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s"
And when I tested, I saw all 3 headers in Flask.
So I tried changing the name of the third header:
RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
RequestHeader set X-SSL-CIPHER1_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
And then I saw only the first two headers in Flask.
Change the third header name back to X-SSL-CIPHER1 and tested again, and
saw 3 headers.
I don't understand why this is happening. It seems like there is something
"special" about the header name in the RequestHeader that is preventing the
Apache sending any other header names?
Any ideas why this might be the case? I have worked with Apache for
awhile, and with RequestHeader in the past, and I don't recall anything
like this.
Thanks,
Jim
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
