Hi Graham, FYI, I am going to be in-transit to another location in a bit, so I will be slow to respond probably until tomorrow.
On Saturday, November 11, 2017 at 9:21:26 AM UTC-5, O haya wrote: > > Hi, > > I already have the SSLOptions +StdEnvVars in the virtualhost and was not > seeing the SSL_ headers. That was why I started trying to add the > RequestHeaders. > > Thanks, > Jim > > On Saturday, November 11, 2017 at 4:05:08 AM UTC-5, Graham Dumpleton wrote: >> >> Why fiddle with RequestHeader and using headers. The directive: >> >> SSLOptions +StdEnvVars >> >> should result in them being passed through in the WSGI environ dictionary >> already. >> >> Graham >> >> >> On 11 Nov 2017, at 4:03 pm, O haya <[email protected]> wrote: >> >> Hi, >> >> I built mod_wsgi using Python 3.6.3 and also with Apache 2.2.29. The >> Apache is configured for client-authenticated SSL, and I am trying to >> configure Apache to pass some of the SSL_ variables to a small test Flask >> application and I am having difficulty getting this working. >> >> Here is the VirtualHost: >> >> <VirtualHost *:8443> >> Servername apache.whatever.com >> . >> . >> . >> >> >> WSGIDaemonProcess webtool user=myuser group=mygroup threads=5 >> home=/apps/flaskapps/helloflask/wsgi-scripts >> WSGIScriptAlias / /apps/flaskapps/helloflask/wsgi-scripts/webtool.wsgi >> >> # From: >> https://stackoverflow.com/questions/20940651/how-to-access-apache-basic-authentication-user-in-flask >> # WSGIPassAuthorization On >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" >> RequestHeader set X-SSL-CIPHER2 "%{SSL_CLIENT_I_DN}s" >> RequestHeader set X-SSL-CIPHER3 "%{SSL_CLIENT_CERT}s" >> # RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >> # RequestHeader add X-SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e" >> # RequestHeader add X-MYSSL_CLIENT_S_DN >> "fffffooooooooooooooooooooooooooooooooooo" >> # RequestHeader set X-SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e" >> # RequestHeader set X-SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e" >> # RequestHeader set X-SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e" >> # RequestHeader set X-SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" >> >> <directory /apps/flaskapps/helloflask/wsgi-scripts> >> WSGIProcessGroup webtool >> >> SSLOptions +StdEnvVars +ExportCertData >> >> WSGIApplicationGroup %{GLOBAL} >> WSGIScriptReloading On >> Order allow,deny >> Allow from all >> </directory> >> >> Note the bunch of RequestHeader directives. >> >> I originally started with only the 1st two: >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> >> And that worked, i.e., my test Flask app was able to see those headers, >> and dumped out those values. >> >> Then, I added a third one: >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> RequestHeader set X-SSL-CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >> >> And bounced the Apache and tested, but I still only saw the first two >> headers :(... >> >> I added the others that you see that are commented out, but still only >> saw the first two headers in Flask. >> >> So, just on a whim, I tried copying the 2nd one, but changing the header >> name slightly. >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> RequestHeader set X-SSL-CIPHER1 "%{SSL_CLIENT_S_DN}s" >> >> And when I tested, I saw all 3 headers in Flask. >> >> So I tried changing the name of the third header: >> >> RequestHeader set X-SSL-PROTOCOL "%{SSL_PROTOCOL}s" >> RequestHeader set X-SSL-CIPHER "%{SSL_CIPHER}s" >> RequestHeader set X-SSL-CIPHER1_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" >> >> And then I saw only the first two headers in Flask. >> >> Change the third header name back to X-SSL-CIPHER1 and tested again, and >> saw 3 headers. >> >> I don't understand why this is happening. It seems like there is >> something "special" about the header name in the RequestHeader that is >> preventing the Apache sending any other header names? >> >> Any ideas why this might be the case? I have worked with Apache for >> awhile, and with RequestHeader in the past, and I don't recall anything >> like this. >> >> Thanks, >> Jim >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/modwsgi. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
