From 1772fcbb67dff5aa87b0932d59bc44bd49e6264c Mon Sep 17 00:00:00 2001
From: Dustin Tsang <dtsang@redhat.com>
Date: Fri, 3 Oct 2014 12:13:13 -0400
Subject: [PATCH] Fixes #7745 - allow client cert header through

---
 templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb b/templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb
index 1c9cef99..791cfa5e 100644
--- a/templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb
+++ b/templates/etc/httpd/conf.d/05-foreman-ssl.d/katello.conf.erb
@@ -14,7 +14,10 @@ Alias /pub /var/www/html/pub
 </Location>
 
 <LocationMatch /rhsm|/subscription|/katello/api>
-  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
+  # if ssl_client_certa is present set the header, otherwise don't override
+  # a reverse proxy may already be sending the cert through this header
+  SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
+  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
   SSLVerifyClient optional
   SSLRenegBufferSize 16777216
   SSLVerifyDepth 2