DevHeads.net

Postings by Andrei Ivanov

'require' directive result

Hi,
Now that I've managed to configure my 'require' directive, I have a
requirement to log some details to syslog in case the request is not
authorized.

<Location />
Require expr "<some expression>"
// if expression is false, log details about the request and maybe
the SSL certificate to syslog
</Location>

I've searched around, but I can't find how I could do that.

Please help.

Thank you

filtering by IP SAN entries in the client certificate

Hi,
I have a requirement to check incoming requests, something that would
be succinctly
expressed this way:

<Location />
Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
</Location>

This would check that the request IP address is among the IP addresses in
the client certificate.

Unfortunately, this doesn't work:
1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
mod_nss, which exports it
2. The expression evaluation engine doesn't know how to evaluate this kind
of expression
3.

mod_lua and subprocess_env

Hi,
I'm trying to create a lua authorization script but I can't seem to access
the request environment:

require 'apache2'

function authz_check_remote_ip_in_client_san(r)
r:err("remote_ip_in_client_san running...");
r:alert("uri: " .. r.uri);
r:alert("useragent_ip: " .. r.useragent_ip);
local ip = r.subprocess_env["REMOTE_ADDRESS"];
r:crit("REMOTE_ADDRESS: " ..

SSL_CLIENT_SAN IP addr validation

Hi,
I'm trying to validate incoming requests by comparing the request IP to the
IP addresses provided in the client certificate subjectAltName.

Searching around, I found
<a href="http://wiki.cacert.org/ApacheServerClientCertificateAuthentication" title="http://wiki.cacert.org/ApacheServerClientCertificateAuthentication">http://wiki.cacert.org/ApacheServerClientCertificateAuthentication</a>, which
gives an example using the email address:

SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or
%{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or
%{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or
%{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\