2

Webserver in question is...

/usr/sbin/apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built:   Mar 10 2015 13:05:59

Portions of httpd.x.conf file...

SSLVerifyClient optional 
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData

SetEnvIf SSL_CLIENT_M_SERIAL "5174EAF60000000014E5" JK_REMOTE_USER=Rest

But the result of that in the mod_jk.log is...

[date and time junk] [debug] init_ws_service::mod_jk.c (1097): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=10.2.0.85 name=local.apiclient.com port=443 auth=(null) user=(null) laddr=10.2.1.173 raddr=10.2.0.85 uri=/the/thing/i/requested

(The problem is that "user" is set to null.) Now, if I want to just open the floodgates and let everybody into the rest service, I can do this in the httpd.x.conf file...

SetEnv JK_REMOTE_USER Rest

...in place of the SetEnvIf statement seen above, then mod_jk.log shows this...

[date and time junk] [debug] init_ws_service::mod_jk.c (1097): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=10.2.0.85 name=local.apiclient.com port=443 auth=(null) user=Rest laddr=10.2.1.173 raddr=10.2.0.85 uri=/the/thing/i/requested

Notice now "user=Rest" - that functions correctly. And the tomcat side (OK, JBoss... OK, actually WildFly... but really it's the same thing as tomcat) is indeed accepting the "user" as passed from apache, and granting the appropriate permissions.

The point is that even though ...my.local.domain/cgi-bin/printenv shows me that the apache environment knows a bunch of variables and values, including SSL_CLIENT_M_SERIAL = 5174EAF60000000014E5 ...it seems as though SetEnvIf itself is unable to ascertain the value of SSL_CLIENT_M_SERIAL, and based on its value, set other variables' values.

I would also be OK with configuring the rest service user ID to be the same as the value of one of the SSL_CLIENT variables. Like the email address, or the serial number. So if I could get any of the following to work...

SetEnv JK_REMOTE_USER SSL_CLIENT_M_SERIAL
SetEnv JK_REMOTE_USER %{SSL_CLIENT_M_SERIAL}x
SetEnv JK_REMOTE_USER "SSL_CLIENT_M_SERIAL"

...that would be great. I'm missing something simple, I'm sure.

And please, no PHP-specific answers. This is not a PHP environment at all. It's not even installed, and will not be.

TLDR: How to set JK_REMOTE_USER variable based on value of SSL_CLIENT_M_SERIAL?

kelvin0mql
  • 83
  • 1
  • 8

1 Answers1

2

I was never able to get SetEnvIf working with mod_ssl environment variables.

But it works with SetEnvIfExpr :

SetEnvIfExpr "%{SSL_CLIENT_M_SERIAL} == '5174EAF60000000014E5'" JK_REMOTE_USER=Rest

Just found out why on the code of mod_ssl :

/* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
 * run after mod_setenvif's post_read_request hook. */
Ghetolay
  • 3,222
  • 2
  • 30
  • 29
  • Searching for the module configurations for (or how to enable) SetEnvIfExpr. So far, I've found nothing. Is that a custom module that doesn't exist in the regular distribution of apache 2.4.7 @Ghetolay? – kelvin0mql Sep 05 '15 at 14:37
  • Belay that question... I did more hunting, and it appears that SetEnvIfExpr comes with apache 2.5. Since the original question is about apache 2.4.7, I must reject the answer. I am, however, going to upgrade a non-customer-facing test server to Apache http server 2.5 and see if I can get SetEnvIfExpr to do this particular trick for me... it may be that upgrading Apache is what we need. – kelvin0mql Sep 05 '15 at 15:03
  • 1
    ```SetEnvIfExpr``` is part of the same module as ```SetEnvIf``` which is mod_setenvif. I don't have Apache 2.5 I'm on 2.4.10 also it's part of 2.4 docs : http://httpd.apache.org/docs/2.4/mod/mod_setenvif.html. – Ghetolay Sep 05 '15 at 16:36
  • If you have problem with ```SetEnvIfExpr``` you could reach same behavior with a combination of ```RewriteCond``` and ```RewriteRule``` will just be more verbose and maybe less opti. – Ghetolay Sep 05 '15 at 16:42
  • Stackoverflow disallowing preformatted section of comment, suddenly. Grr. Anyway, tried that, verbatim (copy-n-paste). Failed. Syntax error on line 73 of /etc/apache2/test7.docrootsIN.d/httpd.XYZXYZ.conf: Invalid command 'SetEnvIfExpr', perhaps misspelled or defined by a module not included in the server configuration Action 'graceful' failed. The Apache error log may have more information. – kelvin0mql Sep 06 '15 at 19:32
  • I think we're stuck until I can set up a different environment with an apache later than 2.4.7. We have LOTS of SetEnvIf and they all work. But SetEnvIfExpr is somehow disallowed. – kelvin0mql Sep 06 '15 at 19:34
  • Shoot... just double-checked; **my** (Ubuntu) laptop has 2.4.7, the customer-facing test server is 2.2.22 Debian. Moving my experiment. – kelvin0mql Sep 06 '15 at 19:40
  • My apologies - I stand corrected. It does work **exactly** as @Ghetolay describes, in 2.4.7. Does not work in 2.2.22, and I had forgotten exactly where I had been experimenting before. Many thanks. – kelvin0mql Sep 06 '15 at 20:11