httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guenther, Christian" <>
Subject [users@httpd] SSL termination on apache but client certificate routed through
Date Wed, 14 Sep 2005 12:19:48 GMT
Hello List,

I still have this question coming up: I have an apache configured as a reverse proxy. Behind
that proxy there is an application server. A client is to connect to the apache via SSL and
it needs to authenticate to the internal application server with it's client certificate.

                  |                    |
                  |                    |
   +--------+     |     +--------+     |   +--------+
   | client |-----|---->| apache |-----|-->| appsrv |
   | cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
   +--------+     |     +--------+     |   +--------+
                  |                    |
   initiates      |     encrypts       |   client logon
   connection    FW1    with cert-2   FW2  with cert-1

As can be seen in the crude picture above: The client initiates the SSL connection to the
The apache's cert-2 is used for encryption and the client is prepared to authenticate itself
his client cert-1. At the moment the apache is NOT configured to validate the clients certificate,
but ignores it - This is because the apache has no knowledge of the application that wants
the authentication in the backend server. 
After the SSL connection between client and apache is established, the apache initiates a
new SSL connection to the application server. This connection is encrypted with the appsrv's
cert-3. Now the application server want's the client to authenticate itself using client certificate
instead of with a normal username/password pair. This, of course, fails at the moment, because
the certificate of the apache has no rights in the application and the client cert-1 is lost
due to the apache terminating the SSL connection.

Now again my question: Can I configure the apache to forward the client cert-1 to the backend
application server? Is there a module that I can use for this? I'm not sure at the moment
if such a module could work at all.

As far as I understand SSL, it needs a direct connection between the two communication partners,
but on the other hand a reverse proxy is a common tool to improve the security of a server
on the internet, so maybe there is some way to achieve this and I'm just mssing the point.

Please, can anyone help me with this?

Kind regards,


Christian G├╝nther 
SAP NetWeaver Technical Consultant 


REALTECH system consulting GmbH 
Industriestra├če 39c 
69190 Walldorf Germany 

Tel.: +49 6227 837 267 
Fax: +49 6227 837 837 
Mobile: +49 173 302 2153
View raw message