httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guenther, Christian" <Christian.Guent...@realtech.com>
Subject AW: [users@httpd] SSL termination on apache but clientcertificaterouted through
Date Wed, 14 Sep 2005 13:29:44 GMT
Hi Allan,

If I get that right your solution would provide the client certificate to the backend server
in the form of a header variable. Is that correct? Therefor the client certificate would not
be available as part of a normal, standard conform SSL handshake but be essentially be copied
in the normal http data part. I would then need to change my backend server's code to look
for the certificate at a different place?

Don't get me wrong, if my developers here tell me that they can change our application server
in this way, I'd be more than happy to use that solution.. I just don't see how the server
could validate the certificate in this scenario as he does not have access to the client but
only to the reverse proxy.

Let me ask you this question: If I'd provide the client certificate to the backend application
server during the normal SSL handshake between apache and application server - let's say I
would copy it to the ├╝place where the apache certificate would normally be -, that surely
would lead to a mismatch between the DN of the certificate and the hostname of the server
presenting the certificate, would it not?

   Greetings,

Christian





Von: allan@muly.dk
Gesendet: Mi 14.09.2005 15:08
An: users@httpd.apache.org; Guenther, Christian
Cc: users@httpd.apache.org
Betreff: Re: [users@httpd] SSL termination on apache but client certificaterouted through


Quoting "Guenther, Christian" <Christian.Guenther@realtech.com>:

> Hello List,
>
> I still have this question coming up: I have an apache configured as 
> a reverse proxy. Behind that proxy there is an application server. A 
> client is to connect to the apache via SSL and it needs to 
> authenticate to the internal application server with it's client 
> certificate. IS THIS AT ALL POSSIBLE?

yes, we have that.

>
>
>                  |                    |
>                  |                    |
>   +--------+     |     +--------+     |   +--------+
>   | client |-----|---->| apache |-----|-->| appsrv |
>   | cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
>   +--------+     |     +--------+     |   +--------+
>                  |                    |
>   initiates      |     encrypts       |   client logon
>   connection    FW1    with cert-2   FW2  with cert-1
>
>
> As can be seen in the crude picture above: The client initiates the 
> SSL connection to the apache.
> The apache's cert-2 is used for encryption and the client is prepared 
> to authenticate itself using
> his client cert-1. At the moment the apache is NOT configured to 
> validate the clients certificate, but ignores it - This is because 
> the apache has no knowledge of the application that wants the 
> authentication in the backend server.
> After the SSL connection between client and apache is established, 
> the apache initiates a new SSL connection to the application server. 
> This connection is encrypted with the appsrv's cert-3. Now the 
> application server want's the client to authenticate itself using 
> client certificate instead of with a normal username/password pair. 
> This, of course, fails at the moment, because the certificate of the 
> apache has no rights in the application and the client cert-1 is lost 
> due to the apache terminating the SSL connection.
>
> Now again my question: Can I configure the apache to forward the 
> client cert-1 to the backend application server? Is there a module 
> that I can use for this? I'm not sure at the moment if such a module 
> could work at all.

yes, mod_rewrite can do this.
this is some old stuff, but you might get the idea:

# internal function
RewriteMap  canonicalize int:escape

# client cert check
RewriteCond  %{SSL:SSL_CLIENT_CERT} \
/^-----BEGIN\s+CERTIFICATE-----\n([^#]+)-----END\s+certificate-----$ 
[NC] # ok we had a client cert so first put in an env variale
RewriteRule ^/login - [E=FORWARD_CERT:${canonicalize:%1}]

# then use that env variable to forward it t the aopp server via a 
custom  # requestheader
RequestHeader set APACHE_CLIENT_CERT_HARD %{FORWARD_CERT}e env=FORWARD_CERT


with this you should have the backend code on the appserver pull out 
the requestheader value and authenticate via that


./allan
Mime
View raw message