Get and send clients certs header

1. Caddy version (caddy version):

Caddy v2 / Debian package

2. How I run Caddy:

caddy run + json file

a. System environment:

Linux Debian

b. Command:

caddy run
curl localhost:2019/load -X POST -H "Content-Type: application/json" -d @nagios_formated.json 

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "logs": {
            "logger_names": {
              "caddy.test.local": "log0"
            }
          },
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "upstreams": [
                            {
                              "dial": "10.13.102.50:80"
                            }
                          ],
			  "headers": {
				  "request": {
					 "add": {
						 "CENTREON":["{SSL_CLIENT_SAN_Email_0}"]
					 }

				  }
			  }
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "caddy.test.local"
                  ]
                }
              ],
              "terminal": true
            }
          ],
          "tls_connection_policies": [
            {
              "certificate_selection": {
                "any_tag": [
                  "cert0"
                ]
              },
              "client_authentication": {
                "mode": "require_and_verify",
                "trusted_ca_certs": [
                  "MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7cJpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYPmDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRCdWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTffwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cmNW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPxH2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g=="
                ]
              },
              "match": {
                "sni": [
                  "caddy.test.local"
                ]
              },
              "protocol_min": "tls1.2"
            },
            {}
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/etc/caddy/ssl/caddy_test.local.cer",
            "key": "/etc/caddy/ssl/caddy_test.local.key",
            "tags": [
              "cert0"
            ]
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "exclude": [
          "http.log.access.log0"
        ],
	"level":"DEBUG"
      },
      "log0": {
        "include": [
          "http.log.access.log0"
        ],
	"level":"DEBUG",
        "writer": {
          "filename": "/var/log/access.log",
          "output": "file"
	}
      }
    }
  }
}

CENTREON:[{SSL_CLIENT_SAN_Email_0}]

3. The problem I’m having:

Hi,

I’m setting up a reverse proxy to acces an application. I want ton control acces with client certs on the caddy revese proxy (working)

Now I want to pass some variable to my upstream server : In need to read the {SSL_CLIENT_SAN_Email_0}" from my client cert and send it to my server.

4. Error messages and/or full log output:

No error, phpinfo display a null value :

 $_SERVER['HTTP_CENTREON'] *no value*

5. What I already tried:

Tried different values :

  • CENTREON:[{SSL_CLIENT_SAN_Email_0}]
  • CENTREON:[{env.SSL_CLIENT_SAN_Email_0}]

Same thing.

If I put a mail hardcoded, it is working, php is receiving the correct value :

Dis someone have an idea on how to set it up ?

Thanks in advance
Juju

That doesn’t look like valid JSON. Could you try posting again with code block formatting? Put ``` on the lines before and after your JSON.

You also skipped filling out the thread template, this makes it harder for us to help.

Hi Francis,

Sorry, I’ve jut edit my previous post.

Julien

And this is my apache reverse proxy config that is working :

[...]
  SSLVerifyClient require
  SSLVerifyDepth 3

  RequestHeader set CENTREON "%{SSL_CLIENT_SAN_Email_0}s"

[...]

Another approach will be to send all SSL headers, I don’t know if there is an option for that ?

Juju

So I’m not certain how that works in Apache, but it’s either an environment variable that you set up beforehand, in which case you should use the {env.*} placeholder, see the docs here:

Or it’s a special placeholder that’s filled on-the-fly by Apache based on the client certificate provided.

Caddy has some placeholders you can use for client certificates, listed here, but I don’t know if it’ll be what you need:

I don’t think we have placeholders for the client cert SANs yet, but that could be a feature request!

Edit: now we do:

1 Like

Hi Matt,

Maybe I’m missing something but I can’t get any off the new placeholders :

What I’ve do :

git clone https://github.com/caddyserver/caddy.git caddy_git
cd caddy_git/cmd/caddy/
go build

./caddy version
(devel)

Resend my json file, just change the line according to the commit :

“CENTREON”:["{http.request.tls.client.san.emails.0}"],
“SUBJECT”:["{http.request.tls.client.subject}"]

CENTREON is still empty
SUBJECT return the correct value

Thanks,
Julien

OK, this is finaly working,
I’ve restart all processes and I can now get my SAN email .

Thanks for your help !

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.