Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 31 Aug 2005 09:23:51 +0200
Message-ID: <8C29B2F93BAE9047A906EF6D6F9C5D437387EF@exchange2k301.gaia.fr>
Thread-Topic: [users@httpd] reverse proxy client certificat pass through
Thread-Index: AcWtkq9bPko4qzQ9SzCnNlG+s75N3gAaYHnQ
From: =?iso-8859-1?Q?Axel-St=E9phane__SMORGRAV?=
 <Axel-Stephane.SMORGRAV@europe.adp.com>
To: <users@httpd.apache.org>
Subject: RE: [users@httpd] reverse proxy client certificat pass through

As Allan points out you need to include "SSLVerify client" in your =
configuration. Regarding passing the certificate data to the backend, if =
you consider that connecting to the backend establishes a chain of =
trust, the only thing you really need to pass is the subject DN, and =
maybe the issuer DN. Passing the certificate does not provide the =
backend  with any more information since it does not prove that the =
client has any knowledge of the associated private key.

And look at what I found on Google!

http://mail-archives.apache.org/mod_mbox/httpd-users/200508.mbox/%3c8C29B=
2F93BAE9047A906EF6D6F9C5D435ED4FD@exchange2k301.gaia.fr%3e

-ascs=20

-----Original Message-----
From: allan juul [mailto:allan@muly.dk]=20
Sent: Tuesday, August 30, 2005 8:43 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] reverse proxy client certificat pass through

Guenther, Christian wrote:
> Hi List,
>=20
> I have an application server in an internal DMZ for which I use an =
Apache2 as a reverse proxy. The overall communication works flawlessly. =
Clients connect to the Apache and it passes the communication requests =
through to my internal application server - by the way it is an SAP XI.
>=20
> Now I added SSL to my setup and this too works perfectly. A client =
uses SSL to contact the application server. The Apache as reverse proxy =
terminates the SSL connection and then connects to the internal =
application server via SSL.
>=20
> But now I want the external client to authenticate itself to the =
application server via client certificate and this won't work at all. I =
mean as I see it in normal SSL communication the client certificate is =
taken by the apache wich will not use it because he is not configured to =
check for client certificates. The application server again is supposed =
to authenticate the client via its certificate which fails because the =
Apache does not pass the certificate through to him.=20
>=20
> Is there any way of configuring the apache to terminate the SSL =
connection but pass the client certificate from the outside client to =
the internal application server???=20
>=20
> Thanks in advance,
>=20
>    Christian
>=20
> Ps.: I have added my httpd.conf part that deals with the XI backend
>=20
>=20
> <VirtualHost 172.30.210.210>
>     ServerName web004.externerhost.de
>     ServerAdmin webmaster@externerhost.de
>     # This virtual host does not serve any documents itself but only=20
> proxy
>=20
>     ProxyRequests Off
>     ProxyPreserveHost On
>     RequestHeader set ClientProtocol HTTPS
>=20
>     # Set additional header for letting IE 6 SP2 accept 3rd party =
cookies
>     # in an iframe. See: =
http://msdn.microsoft.com/library/default.asp?url=3D
>     # /workshop/security/privacy/privacy_ovw_entry.asp for details
>     Header add P3P CP=3D"NOI"
>=20
>     SSLEngine On
>     SSLCertificateFile /etc/apache2/ssl.crt/web004_cert.pem
>     SSLCertificateKeyFile /etc/apache2/ssl.key/web004_key.pem
>     SSLProxyEngine On
>=20
>     # Forward all requests for this host to SAP XI
>     ProxyPass /		https://ux210210.internerhost.lan:8007/
>=20
>     # Rewrite HTTP 302 object moved redirects from SAP XI
>     ProxyPassReverse /  https://ux210210.internerhost.lan:8007/
> </VirtualHost>
>

if you don't have the frontend apache configured to check for client =
certificates i don't see how you can pass the certificates to the =
application server.

it sounds as if you will need a "double" verification - one from the =
frontend and one from the backend.

we have a setup where we pass the certificate (escaped) to the proxied =
server as a RequestHeader (we use mod_rewrite). the verification then =
happens at the frontend and the communication (in our case) between =
frontend and backend is http, not https.

./allan

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server =
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org