httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guenther, Christian" <Christian.Guent...@realtech.com>
Subject [users@httpd] reverse proxy client certificat pass through
Date Tue, 30 Aug 2005 13:13:05 GMT
Hi List,

I have an application server in an internal DMZ for which I use an Apache2 as a reverse proxy.
The overall communication works flawlessly. Clients connect to the Apache and it passes the
communication requests through to my internal application server - by the way it is an SAP
XI.

Now I added SSL to my setup and this too works perfectly. A client uses SSL to contact the
application server. The Apache as reverse proxy terminates the SSL connection and then connects
to the internal application server via SSL.

But now I want the external client to authenticate itself to the application server via client
certificate and this won't work at all. I mean as I see it in normal SSL communication the
client certificate is taken by the apache wich will not use it because he is not configured
to check for client certificates. The application server again is supposed to authenticate
the client via its certificate which fails because the Apache does not pass the certificate
through to him. 

Is there any way of configuring the apache to terminate the SSL connection but pass the client
certificate from the outside client to the internal application server??? 

Thanks in advance,

   Christian

Ps.: I have added my httpd.conf part that deals with the XI backend


<VirtualHost 172.30.210.210>
    ServerName web004.externerhost.de
    ServerAdmin webmaster@externerhost.de
    # This virtual host does not serve any documents itself but only proxy

    ProxyRequests Off
    ProxyPreserveHost On
    RequestHeader set ClientProtocol HTTPS

    # Set additional header for letting IE 6 SP2 accept 3rd party cookies
    # in an iframe. See: http://msdn.microsoft.com/library/default.asp?url=
    # /workshop/security/privacy/privacy_ovw_entry.asp for details
    Header add P3P CP="NOI"

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl.crt/web004_cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl.key/web004_key.pem
    SSLProxyEngine On

    # Forward all requests for this host to SAP XI
    ProxyPass /		https://ux210210.internerhost.lan:8007/

    # Rewrite HTTP 302 object moved redirects from SAP XI
    ProxyPassReverse /  https://ux210210.internerhost.lan:8007/
</VirtualHost>


Christian G├╝nther
SAP Technical Consultant

REALTECH

REALTECH system consulting GmbH
Industriestra├če 39c
69190 Walldorf
Germany

Tel.: +49.6227.837.267
Mobile: +49.173.2571.326
Fax:+49.6227.837.837
mailto:christian.guenther@realtech.com

Mime
View raw message