Setup Zope behind Apache with SSL

Accessing CGI environment variables created by mod_ssl from within Plone

This way you will get HTTP_SSL_CLIENT_VERIFY, HTTP_SSL_CLIENT_S_DN_CN and HTTP_SSL_CLIENT_S_DN_Email environment variables in the request object.

Posted by mustapha

Problem:

You need to setup Zope behind Apache with SSL and you need to access some/all of the CGI environment variables set by the mod_ssl from within Plone. How to do it ?

To setup Zope behind Apache with SSL is not the hard part. I’ll give anyway an example of setting an apache virtualhost with SSL.

Apache doesn’t forward the mod_ssl CGI environement variables to Zope. Why ? Because Zope doesn’t support SSL until now.

When you setup apache with SSL as proxy for your Plone site, it (apache) receives HTTPS-requests from the outside but it sends HTTP-requests to Zope. That’s why you don’t get the SSL headers through to the proxied Plone site.

Certificates:

How to generate your certificate authority, the server certificate and a client certificate to test the setup is out of the scope of this post. Here are 2 links where you can get help for that. Just copy/past the commands if you don’t understand. You will finish with getting all certificates:

Apache VirtualHost:

Here is an example of setting a VirtualHost with SSL:


<VirtualHost *:443>
  ServerName my.server.com
  <LocationMatch "^[^/]">
      Deny from all
  </LocationMatch>

  SSLEngine on
  SSLCipherSuite HIGH:MEDIUM
  SSLProtocol all -SSLv2
  SSLCertificateFile       /etc/apache2/conf.d/server.cert
  SSLCertificateKeyFile    /etc/apache2/conf.d/server.key
  SSLCertificateChainFile  /etc/apache2/conf.d/authority.crt
  SSLCACertificateFile     /etc/apache2/conf.d/authority.crt

  SSLVerifyClient optional
  SSLVerifyDepth 1
  SSLOptions +stdEnvVars

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown 

  RewriteEngine on
  RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/my.server.com:443/site1/VirtualHostRoot/$1 [P,L]
</VirtualHost>

The most important line related to our problem is the line in red. This mod_ssl directive creates the standard set of SSL related CGI/SSI environment variables. Now, how to forward these variables over HTTP to Zope.

Forwarding the SSL variables:

1. The mod_headers way:

The easiest, not flexible and not secure way is to use mod_headers directives.
Be sure that mod_headers is installed and you have something like this line in your httpd.conf file:

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

Now, just forward all the variables you need:

<VirtualHost *:443>
  ServerName my.server.com
 <LocationMatch "^[^/]">
       Deny from all
  </LocationMatch>

  SSLEngine on
  SSLCipherSuite HIGH:MEDIUM
  SSLProtocol all -SSLv2
  SSLCertificateFile       /etc/apache2/conf.d/server.cert
  SSLCertificateKeyFile    /etc/apache2/conf.d/server.key
  SSLCertificateChainFile  /etc/apache2/conf.d/authority.crt
  SSLCACertificateFile     /etc/apache2/conf.d/authority.crt
  SSLVerifyClient optional
  SSLVerifyDepth 1
  SSLOptions +stdEnvVars

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown 
  RequestHeader set SSL_CLIENT_VERIFY %{SSL_CLIENT_VERIFY}e
  RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
  RequestHeader set SSL_CLIENT_S_DN_Email %{SSL_CLIENT_S_DN_Email}e

  RewriteEngine on
  RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/https/my.server.com:443/site1/VirtualHostRoot/$1 [P,L]

</VirtualHost>
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s