httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lucuk, Pete" <pete.lu...@ngc.com>
Subject [users@httpd] Apache Proxy, Client Certificate, HTTPS, etc. questions?
Date Fri, 10 Nov 2006 21:38:43 GMT

Apache Proxy, Client Certificate, HTTPS, etc. questions?

I just read this...

	Proxy SSL and Client Certificates
	
http://marc.theaimsgroup.com/?l=apache-httpd-users&m=115930874503040&w=2

and want to I make sure I fully understand it and have questions at the
end of this email.

Background...

In our development environment we have a JBoss server that runs a web
based application...

- the web based application only communicates over HTTPS
- the web based application requires the web browser client to send it's
client certificate to JBoss
- the web browser client PC and the JBoss physical server machine both
reside on the same network with nothing between them
- JBoss performs authentication and authorization based on content in
the sent client certificate from the web browser client PC

The above setup works like a champ in our development environment.


My problem...

We have been tasked to setup our Jboss server web based application in a
production environment like so...

- The Jboss server will reside on physical server A
- The web browser client PC will NOT be on the same network as physical
server A
- there are multiple firewalls between web browser client PC and the
Jboss server that resides on physical server A
- there is however one physical box, lets call it physical server B,
that...

	- the web browser client PCs CAN see and connect to
	- the Jboss server physical server A CAN also see and connect to

- this physical box B is literally a server box that currently has
certain ports open and tomcat and apache running on it serving out
content to web browser client PCs.

- We are NOT allowed to put our Jboss server on it currently for
multiple reasons, long story

- we MUST run our Jboss web based application on physical server A
behind physical server B.

So we are currently looking for ways to bridge the gap between the our
Jboss web based application on physical server A and the web browser
client PCs so that we can perform both...

- HTTPS
- client certicate A&A

I am currently looking at Apache 2.2.3 and its proxy support to bridge
the gap.  Almost everything I have read tells me that...

- I CAN do the HTTPS portion
- but that I can NOT do the client certificate A&A portion

Can you please confirm the above two assumptions and give some input as
why and why not.  I need to bring the info to my management and formally
document it.

If Apache with proxy support can not do it, do you know of any piece of
"software" that could do it?  I assume iptables or ipfilter could do it,
BUT we would be hard pressed to be allowed to install anything like that
on there that requires root. 

Basically I *think* I need a transparent proxy that takes whatever it
gets at the TCP/IP level and forwards it on to the correct physical
server.  I have read some stuff that says that you can do it with
Apache...

http://www.redhat.com/docs/manuals/stronghold/Stronghold-3.0-Manual/admi
n-guide/chapter2.fm.html#71712.Heading1.Proxy.Authentication

Normal proxy service (configured with ProxyRequests) uses the CONNECT
protocol. Normal proxy service passes the browser's client certificate
to the remote server during SSL and TLS transactions. The remote server
then authenticates the browser and not the proxy server. The browser
verifies the remote server's site certificate.


Thanks much for your time and input, I greatly appreciate it.









---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message