httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niccolo' Manfrini" <manfr...@protechta.it>
Subject Re: [users@httpd] SSL reverse proxy question
Date Fri, 22 Apr 2005 10:08:52 GMT
Andrea Palmieri wrote:

> I'am using Apache as a reverse proxy to hide several backend servers 
> which host several application
>  
> https://myapache/name1/application_a 
> <https://myapache/name1/application_a> -> 
> http://ipserver1/application_a <http://ipserver1/application_a>
> https://myapache/name1/application_b 
> <https://myapache/name1/application_b> -> http://ipserver1/application_b 
> <http://ipserver1/application_b>
> https://myapache/name2/application_c 
> <https://myapache/name2/application_c> -> http://ipserver2/application_c 
> <http://ipserver2/application_c>
>  
>  
> I'am using SSL client authentication with x509 certificates to 
> authenticate users.
>  
> I was wondering if I can use different CA certificate files (one for 
> each back-end server) to authenticate users' client certificates.
> example 
> users accessing application_a are authenticated using CertCA1
> users accessing application_b are authenticated using CertCA1
> users accessing application_c are authenticated using CertCA2
>  
> The  SSLCACertificateFile directive is used to set CA certificate 
> files, but it can't be used within a <Location> context !
>  
> Any suggestion or idea is really appreciated
> Andrea   

Maybe you can add to your dns service configuration three CNAME values 
that point to your reverse proxy server name. For example:

application_a.mydomain.com, application_b.mydomain.com, 
application_c.mydomain.com
should resolve to: reverse_proxy.mydomain.com

Then in append in your reverse proxy httpd.conf  three VirtualHosts 
definitions:

<VirtualHost *:443>
ServerName application_a.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA1.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_a/
ProxyPassReverse / http://myinternal_server/application_a/
</VirtualHost>

<VirtualHost *:443>
ServerName application_b.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA2.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_b/
ProxyPassReverse / http://myinternal_server/application_b/
</VirtualHost>

<VirtualHost *:443>
ServerName application_c.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA3.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_c/
ProxyPassReverse / http://myinternal_server/application_c/
</VirtualHost>


------------------------------------------
Niccolo' Manfrini
Protechta - Information Security
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/





Mime
View raw message