Apache中每个HTTP请求的不可否认性

Question

For the purpose of scientific project I would like to implement in Apache the non-repudiation security service for each HTTP request comming from the remote client. For that purpose I would like to use asymmetric cryptography. I assume that Apache server stores certificates (with public keys) of each legitimate client. Clients securely store their private keys.

In the request there would be client's signature on the chosen HTTP header fields (eg. IP address, requested URL). The signature would be placed in the GET or POST parameters. After each request the non repudiation record should be written to log (I chose Apache's access.log - by default it stores requested URL, IP address, time etc.).

To perform signature check and access control I would like to use mod_rewrite module with RewriteMap and external script doing the job of signature veryfication and access control. This is what I did so far:

mod_rewrite rules:

    RewriteEngine on
    RewriteMap d2u "prg:/var/www/script/map-script2.pl"
    RewriteCond "${d2u:%{QUERY_STRING}}" =false
    RewriteRule ^ - [F]

map-script2.pl:

#!/usr/bin/perl
$| = 1; # Turn off I/O buffering
while (<STDIN>) {

#here will be signature and other data extraction from the query string and veryfication

     if( signature verification result ){
        print "true\n";
     }
     else{
        print "false\n";
     }
}

Is there any other way to do this (there might be efficiency problems with using external script)?

Do you see any drawbacks of my solution to the HTTP request non-repudiation?

Answer 1

That would be relatively low performance. It would be more complicated, but higher perormance, in C as an apache module or in Lua as a mod_lua script.