httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject Re: [users@httpd] How to pass a Client Certificate through a Reverse Proxy
Date Tue, 29 Apr 2008 09:51:42 GMT
On 29.04.08 08:24, Alexiuc, Daniel wrote:
> Well it's been over a year since I asked this question, and I am still
> getting emails from people running into the same problem who are unable
> to find a solution or any information on the subject. So, for posterity,
> here is what I know...   :)
> 
> As far as I know, it cannot be achieved. 

> It seems that the reverse proxy, while seeming to be sort of "invisible"
> to the client, actually breaks the SSL connection and recreates a new
> one to the external server, so passing on the client certificate is
> impossible.

Yes, because a client can only send its certificate by using encrypted and
SIGNED connection, and only the client can sign the certifikate so server
can trust it. The proxy does not know the clients private key, otherwise the
connection would not be secure (or not in the way most people know that).

> If your external server is a local one over which you have control, or
> which you trust, then you can read the information from the certificate
> at the proxy and pass on the information in the headers as a possible
> alternative, but this is not secure. 

the "not secure" usually means that the connection from proxy to a client
is (usually) non-ssl'ed, so anyone between proxy and server mman sniff the
data. Youcan use SSL connection from proxy to the server, but proxy will
send own certificate there, not client's one.

> The way client certificates and reverse proxies are usually used is that
> people set up the reverse proxy on the same server as the "external
> server" I described, use the proxy to do the client certificate
> authentication, and then just pass on the request to the server without
> the client certificate. In this situation, the "external server" must be
> hidden behind the proxy, and they must trust each other.

SSL is made up to avoid man-in-the-middle attack, and the reverse proxy IS
the man-in-the-middls. Either you trust it (and accept what it sends) or
don't use it.

> I had to go with an alternative solution, using a cross-domain AJAX
> request in the browser instead of a reverse proxy that solved my
> problem.

you probably could describe it somehow for us to know ...
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message