httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Axel-St├ęphane SMORGRAV <Axel-Stephane.SMORG...@europe.adp.com>
Subject RE: [users@httpd] reverse proxy client certificat pass through
Date Wed, 31 Aug 2005 07:23:51 GMT
As Allan points out you need to include "SSLVerify client" in your configuration. Regarding
passing the certificate data to the backend, if you consider that connecting to the backend
establishes a chain of trust, the only thing you really need to pass is the subject DN, and
maybe the issuer DN. Passing the certificate does not provide the backend  with any more information
since it does not prove that the client has any knowledge of the associated private key.

And look at what I found on Google!

http://mail-archives.apache.org/mod_mbox/httpd-users/200508.mbox/%3c8C29B2F93BAE9047A906EF6D6F9C5D435ED4FD@exchange2k301.gaia.fr%3e

-ascs 

-----Original Message-----
From: allan juul [mailto:allan@muly.dk] 
Sent: Tuesday, August 30, 2005 8:43 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] reverse proxy client certificat pass through

Guenther, Christian wrote:
> Hi List,
> 
> I have an application server in an internal DMZ for which I use an Apache2 as a reverse
proxy. The overall communication works flawlessly. Clients connect to the Apache and it passes
the communication requests through to my internal application server - by the way it is an
SAP XI.
> 
> Now I added SSL to my setup and this too works perfectly. A client uses SSL to contact
the application server. The Apache as reverse proxy terminates the SSL connection and then
connects to the internal application server via SSL.
> 
> But now I want the external client to authenticate itself to the application server via
client certificate and this won't work at all. I mean as I see it in normal SSL communication
the client certificate is taken by the apache wich will not use it because he is not configured
to check for client certificates. The application server again is supposed to authenticate
the client via its certificate which fails because the Apache does not pass the certificate
through to him. 
> 
> Is there any way of configuring the apache to terminate the SSL connection but pass the
client certificate from the outside client to the internal application server??? 
> 
> Thanks in advance,
> 
>    Christian
> 
> Ps.: I have added my httpd.conf part that deals with the XI backend
> 
> 
> <VirtualHost 172.30.210.210>
>     ServerName web004.externerhost.de
>     ServerAdmin webmaster@externerhost.de
>     # This virtual host does not serve any documents itself but only 
> proxy
> 
>     ProxyRequests Off
>     ProxyPreserveHost On
>     RequestHeader set ClientProtocol HTTPS
> 
>     # Set additional header for letting IE 6 SP2 accept 3rd party cookies
>     # in an iframe. See: http://msdn.microsoft.com/library/default.asp?url=
>     # /workshop/security/privacy/privacy_ovw_entry.asp for details
>     Header add P3P CP="NOI"
> 
>     SSLEngine On
>     SSLCertificateFile /etc/apache2/ssl.crt/web004_cert.pem
>     SSLCertificateKeyFile /etc/apache2/ssl.key/web004_key.pem
>     SSLProxyEngine On
> 
>     # Forward all requests for this host to SAP XI
>     ProxyPass /		https://ux210210.internerhost.lan:8007/
> 
>     # Rewrite HTTP 302 object moved redirects from SAP XI
>     ProxyPassReverse /  https://ux210210.internerhost.lan:8007/
> </VirtualHost>
>

if you don't have the frontend apache configured to check for client certificates i don't
see how you can pass the certificates to the application server.

it sounds as if you will need a "double" verification - one from the frontend and one from
the backend.

we have a setup where we pass the certificate (escaped) to the proxied server as a RequestHeader
(we use mod_rewrite). the verification then happens at the frontend and the communication
(in our case) between frontend and backend is http, not https.

./allan

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message