On our k8s cluster we use NGINX Ingress Controller to request the clients (web-browsers) to provide a client certificate. If the certificate is valid, the request ist proxied to a full-blown Apache Server inside the private network.
The nginx <> Apache communication is not TLS encrypted.
Using the Option 'nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"' on the ngnix, the Apache Server receives a header named X-Client-Certificate containing the full client certificate in PEM format.
At this point I am lost. How do I utilize this certificate just like I would, when sending it from the client directly to the Apache HTTP server (not via proxy)?
I intend to use the DN of the certificates information as REMOTE_USER in order to perform an ldap authorization (using mod_authnz_ldap) but am not able to do so (REMOTE_USER contains '500').
Not having a proxy in between, I would use this command and have the username in the REMOTE_USER Environment variable of Apache - having it accessible as username to authorize in LDAP:
SSLUserName SSL_CLIENT_S_DN_CN
Anyone experienced with this kind of setup and could give me a hint? I have exhausted all known to me and found options.
Thanks in advance.
