Ssl – Apache SERVER variable set up SSL_CLIENT_VERIFY

apache-2.2ssl

I have fresh installed WHM/cPanel and my scripts requires SSL_CLIENT_VERIFY variable, which is not on my current $_SERVER variable list. How can I have this variable set in the CGI script's environment?

Best Answer

This is a CGI variable which apache (or nginx or whatever https server) will set when a client connects with a client SSL certificate.

For it to be set ever, the web server needs to request and accept client certificates. In apache, you can do this by adding the SSLVerifyClient directive to your configuration (do this in the virtual host configuration for the vhost which will be running your script). This variable should be set as long as SSLVerifyClient is set to something other than none, but its contents are not terribly useful unless it is optional_no_ca or optional (as require implies that the certificate is valid if the connection was allowed).

You may also want to specify a CA certificate against which certificates are to be validated (this is the CA certificate which will act as a trust root for your client certificates, and probably directly sign them). For this, specify the SSLCACertificateFile or SSLCACertificatePath directive.

Keep in mind that after changing this configuration you will have to reload your apache configuration.

To test, browse to the site with a browser containing a client certificate, and try presenting the certificate or not. In both cases, the variable should be set. However, if you are not asked for a client certificate, the variable will be unset and you can also infer that the configuration directive didn't take effect (double-check your configuration; the directive should be in the same scope as SSLEngine On and can only be usefully specified where SSLEngine On is set).

Related Solutions

Conditionally set an Apache environment variable

So it appears it isn't possible to reassign an environment variable. But you can test if the variable is set, if not, set it to the default value.

SetEnvIfNoCase Host            ^hr\.         REQUEST_TYPE=2
SetEnvIfNoCase Host            ^finance\.    REQUEST_TYPE=3
SetEnvIfNoCase Host            ^marketing\.  REQUEST_TYPE=4
SetEnvIf       REQUEST_TYPE    ^$            REQUEST_TYPE=1

How to use SetEnvIf to set a variable based on the Http Host

Taking a quick look at the documentation:

The SetEnvIf directive defines environment variables based on attributes of the request. The attribute specified in the first argument can be one of three things:

An HTTP request header field (see RFC2616 for more information about these); for example: Host, User-Agent, Referer, and Accept-Language. A regular expression may be used to specify a set of request headers.

So, it's certainly possible to make an environment variable conditional on the Host header. It looks like you're trying to use either the Referer or Remote_Host headers, neither of which is exactly what you want (although in theory Referer should contain the value of the Host header in most cases). Remote_Host would be the hostname of the client making the request, which is not at all what you want (and in most configurations would simply not be available, since it's typical to have DNS lookups turned off for performance reasons).

Try something like this:

SetEnvIf Host "www-dev\.example\.com" ENV=DEV
SetEnvIf Host "www-production\.example\.com" ENV=PRD

...and then use $_SERVER['ENV'] to create some logic branches

But note also that you can simply reference the value of the Host header directly in PHP without going through this chicanery; $_SERVER['HTTP_HOST'] will have exactly what you want.

Best Answer

Related Solutions

Conditionally set an Apache environment variable

How to use SetEnvIf to set a variable based on the Http Host

Related Topic