httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <humbed...@apache.org>
Subject Re: [users@httpd] filtering by IP SAN entries in the client certificate
Date Wed, 15 Feb 2017 10:46:21 GMT
On 02/15/2017 11:31 AM, Andrei Ivanov wrote:
> Hi,
> I have a requirement to check incoming requests, something that would be
> succinctly expressed this way:
> 
> <Location />
>     Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> </Location>
> 
> This would check that the request IP address is among the IP addresses
> in the client certificate.
> 
> Unfortunately, this doesn't work:
> 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
> mod_nss, which exports it
> 2. The expression evaluation engine doesn't know how to evaluate this
> kind of expression
> 3. I've tried using mod_lua for the expression, but it can't access this
> kind of environment variables (and the SSL specific only if exposed by
> mod_ssl, not other modules, like mod_nss)

Have you tried using a rewriterule hack to pass the var?
RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}]

that would expose it in mod_lua as r.subprocess_env['sanip'], provided
mod_nss actually exposes it.

> 
> I have ran out of ideas on what to try.
> 
> Please help.
> 
> Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message