LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page Apache: problem with RewriteRule on SSL_CLIENT_S_DN to extract e-mail address
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-15-2015, 07:23 AM   #1
d1s4st3r
Member
 
Registered: May 2004
Location: Italy
Posts: 70

Rep: Reputation: 16
Question [SOLVED] Apache: problem with RewriteRule on SSL_CLIENT_S_DN to extract e-mail address

Hello everyone,

I have the following problem:

I need my Apache web server to serve different paths depending on the SSL client certificate the user has in his browser.
Making it simple, when user John makes a request to "http://www.company.com/test_ssl", Apache should serve che contents of "/var/www/test_ssl/john"; when user Tom makes a request, Apache should serve che contents of "/var/www/test_ssl/tom"; and so on.

I (almost) managed to get this work by using the following configuration:

Code:
SetEnv HTTPS on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/certs/TERENAPersonalCA.crt
SSLCACertificateFile /etc/ssl/certs/TERENAPersonalCA_bundle.pem

Alias /test_ssl /var/www/test_ssl
<Directory /var/www/test_ssl>
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLCipherSuite ALL:!ADH:!EXP:!DES:RC4+RSA:+HIGH:+MEDIUM!SSLv2
    SSLOptions +StdEnvVars +ExportCertData
    SSLUsername SSL_CLIENT_S_DN

    RewriteEngine On
    RewriteBase /test_ssl

    RewriteCond %{SSL:SSL_CLIENT_S_DN}::%{REQUEST_URI} !^(.*)::/test_ssl/\1/(.*)
    RewriteRule ^(.*) %{SSL:SSL_CLIENT_S_DN}/$1 [L]
</Directory>
My problem is that I need to use, instead of the full value of the SSL_CLIENT_S_DN server variable, only the user's e-mail address as the personal folder (because the e-mail is the only unique value, even in the case of homonymy of two individuals), so I need my web server to serve stuff like "/var/www/test_ssl/john@company.com", "/var/www/test_ssl/tom@company.com", etc.
And... that e-mail address only compares inside of the SSL_CLIENT_S_DN server variable, in this format:

Code:
unstructuredName=john@company.com,CN=John Black,O=COMPANY,C=COM
I tried to add/modify the RewriteRules like this:

Code:
    RewriteCond %{SSL:SSL_CLIENT_S_DN}::%{REQUEST_URI} !^(.*)::/test_ssl/\1/(.*)
    RewriteRule ^(.*) %{SSL:SSL_CLIENT_S_DN}/$1
    RewriteRule ^unstructuredName=(.*),CN - [E=email:$1]
    RewriteRule ^(.*)$ %{ENV:email} [L]
and I'm near to the solution, as long as now the web server gets the request to the right directory (which includes the e-mail), but the browser (Firefox) says:

Quote:
The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.
Seems to be a problem of internal redirection creating a loop... any hint?

Any help would be great! Thanks!!!
Last edited by d1s4st3r; 01-29-2015 at 05:18 AM. Reason: Problem solved! :P
 
Old 01-29-2015, 05:01 AM   #2
d1s4st3r
Member
 
Registered: May 2004
Location: Italy
Posts: 70

Original Poster
Rep: Reputation: 16
Thumbs up
Ok, I finally managed to solve the problem:

Code:
RewriteCond %{SSL:SSL_CLIENT_S_DN} ^unstructuredName=(.*)@company.com,CN
RewriteRule .* - [E=uid:%1]

RewriteCond %{REQUEST_URI} ^/
RewriteRule ^/(.*)$ /var/www/test_ssl/%{ENV:uid}/$1 [L]
This code must be *OUT* of any <Location> section, otherwise it won't work.
 
1 members found this post helpful.
  


Reply

Tags
apache, certificates, rewritecond, rewriterule, ssl



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache RewriteRule jayhall Linux - Networking 5 01-13-2015 02:02 AM
Apache RewriteRule help danster3k Linux - Server 3 10-06-2010 01:35 AM
Apache RewriteRule does not do what I want? Ujjain Linux - Server 0 03-26-2009 07:46 AM
using sed ( I think ) to extract names from e-mail address rosv Programming 4 07-07-2008 02:52 AM
Apache rewriterule mesh2005 Linux - Server 1 08-03-2007 02:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:14 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration