[mod_gnutls-devel] passing the identity to a backend process

Thomas Klute thomas2.klute at uni-dortmund.de
Sun May 15 12:52:56 CEST 2016

Am 13.05.2016 um 04:28 schrieb Ramkumar Chinchani:
> Here is my use case (not necessarily specific to mod_gnutls):
> TLS termination is handled by mod_gnutls
> However, apache is also acting as a reverse proxy and it is required
> to communicate the authenticated identity to a backend process.
> What are my options?

I assume that you want to use TLS client authentication. The easiest way
is probably to use the SSL_* environment variables (see the "Environment
Variables" section in the manual), which pass various bits of
information on the TLS connection. A remote application can't directly
access the environment, but you could use mod_headers and the
RequestHeader directive [1] to pass the data you need (e.g. the DN of a
client certificate) in a custom header.

If you have a working config, I'd be interested in adding an example to
the manual. ;-)


[1] https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader

More information about the mod_gnutls-devel mailing list