Hi, I already have the SSLOptions +StdEnvVars in the virtualhost and was not seeing the SSL_ headers. That was why I started trying to add the RequestHeaders.
Thanks, Jim On Saturday, November 11, 2017 at 4:05:08 AM UTC-5, Graham Dumpleton wrote: > > Why fiddle with RequestHeader and using headers. The directive: > > SSLOptions +StdEnvVars > > should result in them being passed through in the WSGI environ dictionary > already. > > Graham > > > On 11 Nov 2017, at 4:03 pm, O haya <[email protected] <javascript:>> wrote: > > Hi, > > I built mod_wsgi using Python 3.6.3 and also with Apache 2.2.29. The > Apache is configured for client-authenticated SSL, and I am trying to > configure Apache to pass some of the SSL_ variables to a small test Flask > application and I am having difficulty getting this working. > > Here is the VirtualHost: > > <VirtualHost *:8443> > Servername apache.whatever.com > . > . > . > > > WSGIDaemonProcess webtool user=myuser group=mygroup threads=5 > home=/apps/flaskapps/helloflask/wsgi-scripts > WSGIScriptAlias / /apps/flaskapps/helloflask/wsgi-scripts/webtool.wsgi > > # From: > https://stackoverflow.com/questions/20940651/how-to-access-apache-basic-authentication-user-in-flask > # WSGIPassAuthorization On > > RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" > RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" > RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" > RequestHeader set X-SSL-CIPHER2 "%{SSL_CLIENT_I_DN}s" > RequestHeader set X-SSL-CIPHER3 "%{SSL_CLIENT_CERT}s" > # RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" > # RequestHeader add X-SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e" > # RequestHeader add X-MYSSL_CLIENT_S_DN > "fffffooooooooooooooooooooooooooooooooooo" > # RequestHeader set X-SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e" > # RequestHeader set X-SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e" > # RequestHeader set X-SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e" > # RequestHeader set X-SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" > > <directory /apps/flaskapps/helloflask/wsgi-scripts> > WSGIProcessGroup webtool > > SSLOptions +StdEnvVars +ExportCertData > > WSGIApplicationGroup %{GLOBAL} > WSGIScriptReloading On > Order allow,deny > Allow from all > </directory> > > Note the bunch of RequestHeader directives. > > I originally started with only the 1st two: > > RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" > RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" > > And that worked, i.e., my test Flask app was able to see those headers, > and dumped out those values. > > Then, I added a third one: > > RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" > RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" > RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" > > And bounced the Apache and tested, but I still only saw the first two > headers :(... > > I added the others that you see that are commented out, but still only saw > the first two headers in Flask. > > So, just on a whim, I tried copying the 2nd one, but changing the header > name slightly. > > RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" > RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" > RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" > > And when I tested, I saw all 3 headers in Flask. > > So I tried changing the name of the third header: > > RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" > RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" > RequestHeader set X-SSL-CIPHER1_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" > > And then I saw only the first two headers in Flask. > > Change the third header name back to X-SSL-CIPHER1 and tested again, and > saw 3 headers. > > I don't understand why this is happening. It seems like there is > something "special" about the header name in the RequestHeader that is > preventing the Apache sending any other header names? > > Any ideas why this might be the case? I have worked with Apache for > awhile, and with RequestHeader in the past, and I don't recall anything > like this. > > Thanks, > Jim > > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:> > . > Visit this group at https://groups.google.com/group/modwsgi. > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
