apachetomcatsetenvsetenvif

Use SetEnvIf To Change A Variable Based Upon SSL_CLIENT_M_SERIAL Value


Webserver in question is...

/usr/sbin/apache2 -v
Server version: Apache/2.4.7 (Ubuntu)
Server built:   Mar 10 2015 13:05:59

Portions of httpd.x.conf file...

SSLVerifyClient optional 
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData

SetEnvIf SSL_CLIENT_M_SERIAL "5174EAF60000000014E5" JK_REMOTE_USER=Rest

But the result of that in the mod_jk.log is...

[date and time junk] [debug] init_ws_service::mod_jk.c (1097): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=10.2.0.85 name=local.apiclient.com port=443 auth=(null) user=(null) laddr=10.2.1.173 raddr=10.2.0.85 uri=/the/thing/i/requested

(The problem is that "user" is set to null.) Now, if I want to just open the floodgates and let everybody into the rest service, I can do this in the httpd.x.conf file...

SetEnv JK_REMOTE_USER Rest

...in place of the SetEnvIf statement seen above, then mod_jk.log shows this...

[date and time junk] [debug] init_ws_service::mod_jk.c (1097): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=10.2.0.85 name=local.apiclient.com port=443 auth=(null) user=Rest laddr=10.2.1.173 raddr=10.2.0.85 uri=/the/thing/i/requested

Notice now "user=Rest" - that functions correctly. And the tomcat side (OK, JBoss... OK, actually WildFly... but really it's the same thing as tomcat) is indeed accepting the "user" as passed from apache, and granting the appropriate permissions.

The point is that even though ...my.local.domain/cgi-bin/printenv shows me that the apache environment knows a bunch of variables and values, including SSL_CLIENT_M_SERIAL = 5174EAF60000000014E5 ...it seems as though SetEnvIf itself is unable to ascertain the value of SSL_CLIENT_M_SERIAL, and based on its value, set other variables' values.

I would also be OK with configuring the rest service user ID to be the same as the value of one of the SSL_CLIENT variables. Like the email address, or the serial number. So if I could get any of the following to work...

SetEnv JK_REMOTE_USER SSL_CLIENT_M_SERIAL
SetEnv JK_REMOTE_USER %{SSL_CLIENT_M_SERIAL}x
SetEnv JK_REMOTE_USER "SSL_CLIENT_M_SERIAL"

...that would be great. I'm missing something simple, I'm sure.

And please, no PHP-specific answers. This is not a PHP environment at all. It's not even installed, and will not be.

TLDR: How to set JK_REMOTE_USER variable based on value of SSL_CLIENT_M_SERIAL?


Solution

  • I was never able to get SetEnvIf working with mod_ssl environment variables.

    But it works with SetEnvIfExpr :

    SetEnvIfExpr "%{SSL_CLIENT_M_SERIAL} == '5174EAF60000000014E5'" JK_REMOTE_USER=Rest


    Just found out why on the code of mod_ssl :

    /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
     * run after mod_setenvif's post_read_request hook. */