Get and send clients certs header

Theju · June 10, 2020, 12:07pm

1. Caddy version (`caddy version`):

Caddy v2 / Debian package

2. How I run Caddy:

caddy run + json file

a. System environment:

Linux Debian

b. Command:

caddy run
curl localhost:2019/load -X POST -H "Content-Type: application/json" -d @nagios_formated.json

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "logs": {
            "logger_names": {
              "caddy.test.local": "log0"
            }
          },
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "upstreams": [
                            {
                              "dial": "10.13.102.50:80"
                            }
                          ],
			  "headers": {
				  "request": {
					 "add": {
						 "CENTREON":["{SSL_CLIENT_SAN_Email_0}"]
					 }

				  }
			  }
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "caddy.test.local"
                  ]
                }
              ],
              "terminal": true
            }
          ],
          "tls_connection_policies": [
            {
              "certificate_selection": {
                "any_tag": [
                  "cert0"
                ]
              },
              "client_authentication": {
                "mode": "require_and_verify",
                "trusted_ca_certs": [
                  "MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7cJpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYPmDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRCdWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTffwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cmNW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPxH2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g=="
                ]
              },
              "match": {
                "sni": [
                  "caddy.test.local"
                ]
              },
              "protocol_min": "tls1.2"
            },
            {}
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/etc/caddy/ssl/caddy_test.local.cer",
            "key": "/etc/caddy/ssl/caddy_test.local.key",
            "tags": [
              "cert0"
            ]
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "exclude": [
          "http.log.access.log0"
        ],
	"level":"DEBUG"
      },
      "log0": {
        "include": [
          "http.log.access.log0"
        ],
	"level":"DEBUG",
        "writer": {
          "filename": "/var/log/access.log",
          "output": "file"
	}
      }
    }
  }
}

CENTREON:[{SSL_CLIENT_SAN_Email_0}]

3. The problem I’m having:

Hi,

I’m setting up a reverse proxy to acces an application. I want ton control acces with client certs on the caddy revese proxy (working)

Now I want to pass some variable to my upstream server : In need to read the {SSL_CLIENT_SAN_Email_0}" from my client cert and send it to my server.

4. Error messages and/or full log output:

No error, phpinfo display a null value :

 $_SERVER['HTTP_CENTREON'] *no value*

5. What I already tried:

Tried different values :

CENTREON:[{SSL_CLIENT_SAN_Email_0}]
CENTREON:[{env.SSL_CLIENT_SAN_Email_0}]

Same thing.

If I put a mail hardcoded, it is working, php is receiving the correct value :

CENTREON:[“test@email.com”]

Dis someone have an idea on how to set it up ?

Thanks in advance
Juju

francislavoie · June 10, 2020, 2:51pm

That doesn’t look like valid JSON. Could you try posting again with code block formatting? Put ``` on the lines before and after your JSON.

You also skipped filling out the thread template, this makes it harder for us to help.

Theju · June 10, 2020, 3:08pm

Hi Francis,

Sorry, I’ve jut edit my previous post.

Julien

Theju · June 10, 2020, 3:17pm

And this is my apache reverse proxy config that is working :

[...]
  SSLVerifyClient require
  SSLVerifyDepth 3

  RequestHeader set CENTREON "%{SSL_CLIENT_SAN_Email_0}s"

[...]

Another approach will be to send all SSL headers, I don’t know if there is an option for that ?

Juju

francislavoie · June 10, 2020, 3:26pm

So I’m not certain how that works in Apache, but it’s either an environment variable that you set up beforehand, in which case you should use the {env.*} placeholder, see the docs here:

Or it’s a special placeholder that’s filled on-the-fly by Apache based on the client certificate provided.

Caddy has some placeholders you can use for client certificates, listed here, but I don’t know if it’ll be what you need:

matt · June 10, 2020, 5:35pm

I don’t think we have placeholders for the client cert SANs yet, but that could be a feature request!

Edit: now we do:

Theju · June 12, 2020, 8:28am

Hi Matt,

Maybe I’m missing something but I can’t get any off the new placeholders :

What I’ve do :

git clone https://github.com/caddyserver/caddy.git caddy_git
cd caddy_git/cmd/caddy/
go build

./caddy version
(devel)

Resend my json file, just change the line according to the commit :

“CENTREON”:[“{http.request.tls.client.san.emails.0}”],
“SUBJECT”:[“{http.request.tls.client.subject}”]

CENTREON is still empty
SUBJECT return the correct value

Thanks,
Julien

Theju · June 12, 2020, 12:10pm

OK, this is finaly working,
I’ve restart all processes and I can now get my SAN email .

Thanks for your help !

system · July 10, 2020, 12:08pm

This topic was automatically closed after 30 days. New replies are no longer allowed.