Merge pull request #38 from dustints/reverse_proxy_tweak

Fixes #7745 - allow client cert header through
theforeman · Nov 12, 2014 · 077baed · 077baed
2 parents 1bd26ad + 1772fcb
commit 077baed
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb b/templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb
@@ -14,7 +14,10 @@ Alias /pub /var/www/html/pub
 </Location>
 
 <LocationMatch /rhsm|/subscription|/katello/api>
-  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
+  # if ssl_client_certa is present set the header, otherwise don't override
+  # a reverse proxy may already be sending the cert through this header
+  SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
+  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
   SSLVerifyClient optional
   SSLRenegBufferSize 16777216
   SSLVerifyDepth 2