Why fiddle with RequestHeader and using headers. The directive:
SSLOptions +StdEnvVars
should result in them being passed through in the WSGI environ dictionary
already.
Graham
> On 11 Nov 2017, at 4:03 pm, O haya <[email protected]> wrote:
>
> Hi,
>
> I built mod_wsgi using Python 3.6.3 and also with Apache 2.2.29. The Apache
> is configured for client-authenticated SSL, and I am trying to configure
> Apache to pass some of the SSL_ variables to a small test Flask application
> and I am having difficulty getting this working.
>
> Here is the VirtualHost:
>
> <VirtualHost *:8443>
> Servername apache.whatever.com
> .
> .
> .
>
>
> WSGIDaemonProcess webtool user=myuser group=mygroup threads=5
> home=/apps/flaskapps/helloflask/wsgi-scripts
> WSGIScriptAlias / /apps/flaskapps/helloflask/wsgi-scripts/webtool.wsgi
>
> # From:
> https://stackoverflow.com/questions/20940651/how-to-access-apache-basic-authentication-user-in-flask
> # WSGIPassAuthorization On
>
> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
> RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s"
> RequestHeader set X-SSL-CIPHER2 "%{SSL_CLIENT_I_DN}s"
> RequestHeader set X-SSL-CIPHER3 "%{SSL_CLIENT_CERT}s"
> # RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
> # RequestHeader add X-SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
> # RequestHeader add X-MYSSL_CLIENT_S_DN
> "fffffooooooooooooooooooooooooooooooooooo"
> # RequestHeader set X-SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
> # RequestHeader set X-SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e"
> # RequestHeader set X-SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e"
> # RequestHeader set X-SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
>
> <directory /apps/flaskapps/helloflask/wsgi-scripts>
> WSGIProcessGroup webtool
>
> SSLOptions +StdEnvVars +ExportCertData
>
> WSGIApplicationGroup %{GLOBAL}
> WSGIScriptReloading On
> Order allow,deny
> Allow from all
> </directory>
>
> Note the bunch of RequestHeader directives.
>
> I originally started with only the 1st two:
>
> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
>
> And that worked, i.e., my test Flask app was able to see those headers, and
> dumped out those values.
>
> Then, I added a third one:
>
> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
> RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
>
> And bounced the Apache and tested, but I still only saw the first two headers
> :(...
>
> I added the others that you see that are commented out, but still only saw
> the first two headers in Flask.
>
> So, just on a whim, I tried copying the 2nd one, but changing the header name
> slightly.
>
> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
> RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s"
>
> And when I tested, I saw all 3 headers in Flask.
>
> So I tried changing the name of the third header:
>
> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s"
> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s"
> RequestHeader set X-SSL-CIPHER1_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
>
> And then I saw only the first two headers in Flask.
>
> Change the third header name back to X-SSL-CIPHER1 and tested again, and saw
> 3 headers.
>
> I don't understand why this is happening. It seems like there is something
> "special" about the header name in the RequestHeader that is preventing the
> Apache sending any other header names?
>
> Any ideas why this might be the case? I have worked with Apache for awhile,
> and with RequestHeader in the past, and I don't recall anything like this.
>
> Thanks,
> Jim
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To post to this group, send email to [email protected]
> <mailto:[email protected]>.
> Visit this group at https://groups.google.com/group/modwsgi
> <https://groups.google.com/group/modwsgi>.
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
