The configuration of Apache web server for x509 based authentication

The structure of the application includes: frontend https, backend http and the cherrypy application. The frontend http is running on the machine yuan.ucsd.edu, that forwards the http requests to the backend http which locates in the machine submit-3.ucsd.edu and also holds the cherrypy application. For security purpose, it will be better to let the second machine only allow http forward from the first one, but since there are multiple application are running on the second machines for testing, this enforced security is not yet implemented.

The "directory" structure for the cherrypy application is <base_URL> followed by /upload, /registration ... according to different function. The frontend and backend http server are configured in the way consistent with cheerypy application.

Some work is carried out to tune the configuration of Apache to remove the backend http server and let the frontend https server directly talk to the cherrypy application. The earlier test showed the problem in hiding the cherrypy URL from the frontend without the backend http server.

• Frontent Http Server Configuration

A https is used for x509 authentication. Currently it is running on The user DN and a few other pieces of information are put into the header of http request. The http request is forwarded to a backend http. The configuration file of Apache and ssl are attached httpd.conf and ssl.conf

       <Directory /var/www/html/production_request>
        RewriteEngine on
        SSLRequireSSL
        SSLVerifyDepth 3
        SSLVerifyClient require
        SSLOptions +StdEnvVars +StrictRequire +CompatEnvVars +ExportCertData
        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
        Options +FollowSymlinks
        RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e
        RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
        RequestHeader set SSL_CLIENT_VERIFY %{SSL_CLIENT_VERIFY}e
        RequestHeader set HTTPS %{HTTPS}e
        RewriteRule ^(.*) http://submit-3.t2.ucsd.edu/production_request/$1 [proxy]
       </Directory>
        RewriteLog "/etc/httpd/logs/rewrite.log"
        RewriteLogLevel 10

A simple script can be used to test the x509 anthentification that prints out the environmental variables

       #!/usr/bin/perl

        print "Content-type: text/html\n\n";
        print "<tt>\n";
        foreach $key (sort keys(%ENV)) {
           print "$key = $ENV{$key}<p>";
        }

To make this test script in effect, adding a new test directory "ssltest" in the frontend and configure it with the authentication as well. The outputof the cgi will include HTTP_SSL_CLIENT_S_DN, HTTP_SSL_CLIENT_VERIFY>

       <Directory  "/var/www/html/ssltest">
        SSLRequireSSL
        SSLVerifyDepth 3
        SSLVerifyClient require
        SSLOptions +StdEnvVars +StrictRequire +CompatEnvVars +ExportCertData
        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
        Options +FollowSymlinks
        RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e
        RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
        RequestHeader set SSL_CLIENT_VERIFY %{SSL_CLIENT_VERIFY}e
        RequestHeader set HTTPS %{HTTPS}e
        RewriteEngine on
        RewriteCond %{SSL:SSL_CLIENT_VERIFY} (SUCCESS)
        RewriteCond %{SSL:HTTPS} =on

        <FilesMatch "^testme$">
         Options +ExecCGI
         SetHandler cgi-script
        </FilesMatch>
 </Directory>

• Backend Http Server Configuration

The backend works as a proxy and forward the http request from the frontend to the cherrypy application. The cherrypy application listens to port 8080.

       <Directory "/var/www/html/production_request"> 
        RewriteEngine on 
        RewriteRule ^(.*) http://submit-3.t2.ucsd.edu:8080/$1 [proxy]
       </Directory>

• Cherrypy Application

The Cherrypy application conducts checking the user from the databases, registration, starting the production ...

-- HaifengPi - 02 Sep 2008