SSL Headers Plugin¶
The sslheaders
plugins injects SSL session information into
HTTP request headers. It can operate as a global plugin or as a
remap plugin.
Plugin Options¶
The following options may be specified when loading the plugin in
plugin.config
or remap.config
:
- --attach=WHICH
This option specifies which HTTP request the SSL headers are attached to.
client
causes the headers to be injected into the client request. This is primarily useful if another plugin should inspect then.server
is the default and injects the headers into the origin server request.both
injects the headers into both the client request and the origin server request.
A list of KEY=VALUE pairs follows any options. The KEY names the HTTP header to inject, and VALUE names the SSL session field.
SSL session field |
Description |
---|---|
client.certificate |
The client certificate in PEM format |
client.subject |
The client certificate subject DN |
client.issuer |
The client certificate issuer DN |
client.serial |
The client certificate serial number in hexadecimal format |
client.signature |
The client certificate signature in hexadecimal format |
client.notbefore |
The client certificate validity start time |
client.notafter |
The client certificate validity end time |
server.certificate |
The server certificate in PEM format |
server.subject |
The server certificate subject DN |
server.issuer |
The server certificate issuer DN |
server.serial |
The server certificate serial number in hexadecimal format |
server.signature |
The server certificate signature in hexadecimal format |
server.notbefore |
The server certificate validity start time |
server.notafter |
The server certificate validity end time |
The client.certificate and server.certificate fields emit the corresponding certificate in PEM format, with newline characters replaced by spaces.
If the sslheaders
plugin activates on non-SSL connections, it
will delete all the configured HTTP header names so that malicious
clients cannot inject misleading information. If any of the SSL
fields expand to an empty string, those headers are also deleted.
Examples:¶
In this example, the origin server is interested in the subject of
the server certificate that was used to accept a client connetion.
We can apply the sslheaders
plugin to a generic remap rule to
provide this information. The remap.config
configuration
would be:
regex_map https://*.example.com/ http://origin.example.com/ \
@plugin=sslheaders.so @pparam=SSL-Server=server.subject
In this example, we have set proxy.config.ssl.client.certification_level
to request SSL client certificates. We can then configure sslheaders
to populate the client certificate subject globally by adding it
to plugin.config
:
sslheaders.so SSL-Client-ID=client.subject SSL-Client-NotBefore=client.notbefore SSL-Client-NotAfter-client.notafter