Closed 0x646f6d closed 1 month ago
adding some standard headers for the application behind the proxy is practical indeed, just leaving some notes here for further processing on our end.
Removing the header should probably use (https://httpd.apache.org/docs/2.4/mod/mod_headers.html):
RequestHeader unset XXXX
It's probably a good idea as well to check RFC's for naming, e.g. sending the client ip is standardized in rfc7239 (https://datatracker.ietf.org/doc/html/rfc7239), I wouldn't be surprised if the same is the case for sending TLS attributes to the server (at least they should all start with X-
to make their origin explicit)
@0x646f6d I have an update available offering a PassTLSHeaders
option in locations, don't want to change any defaults, but this should offer what you need. If you want to test this before release, just drop an email to support at opnsense dot com referring this ticket.
Your update seems to work fine, thanks a lot! but I stumbled over a problem: underscores are obviosly not standard or common for http headers, nginx just drops them. I couldn't find good resources, but the problem arised already:
Yes, there are workarounds, but I think it should be done right in the first place. I adjusted the apache conf by hand and replaced the _ with -: it works fluently!
Just for your information (I know I am late for that, but I am pretty busy...): I previously used the nginx plugin of opnsense. This plugin attaches the headers by default and named them:
...but I don't know if they are standardized or not.
@0x646f6d I couldn't find formalized headers, but I also don't mind replacing the underscores and change the help text. To keep these more or less consistent with upstream documentation I do prefer to leave the names as they are to avoid confusion (X-Tls-Cipher
isn't a standard as far as I could find)
@0x646f6d I've updated the software on our end, if you would like an updated version, just let me know and I'll send you a new link.
Is your feature request related to a problem? Please describe. The remote destination needs information about the client certificate (SSL_CLIENT_S_DN, SSL_CLIENT_I_DN) used for the mTLS communication for autorisation. This should be provided if client certificate authentication is activated.
Describe the solution you'd like If client certificate authentication is activated, the following lines should be appended in apaches configuration:
Describe alternatives you've considered None. This is also the behaviour of nginx-plugin an can be used as a default option.
Additional context Resources: