httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexiuc, Daniel" <daniel.alex...@sap.com>
Subject RE: [users@httpd] How to pass a Client Certificate through a Reverse Proxy
Date Tue, 29 Apr 2008 00:24:15 GMT
Hi all,

Well it's been over a year since I asked this question, and I am still
getting emails from people running into the same problem who are unable
to find a solution or any information on the subject. So, for posterity,
here is what I know...   :)

As far as I know, it cannot be achieved. 
 
It seems that the reverse proxy, while seeming to be sort of "invisible"
to the client, actually breaks the SSL connection and recreates a new
one to the external server, so passing on the client certificate is
impossible.

If your external server is a local one over which you have control, or
which you trust, then you can read the information from the certificate
at the proxy and pass on the information in the headers as a possible
alternative, but this is not secure. 
 
The way client certificates and reverse proxies are usually used is that
people set up the reverse proxy on the same server as the "external
server" I described, use the proxy to do the client certificate
authentication, and then just pass on the request to the server without
the client certificate. In this situation, the "external server" must be
hidden behind the proxy, and they must trust each other.

I had to go with an alternative solution, using a cross-domain AJAX
request in the browser instead of a reverse proxy that solved my
problem.

Daniel

-----Original Message-----
From: Alexiuc, Daniel [mailto:daniel.alexiuc@sap.com] 
Sent: Thursday, 08 March 2007 3:41 PM
To: users@httpd.apache.org
Subject: [users@httpd] How to pass a Client Certificate through a
Reverse Proxy

Hi all,

I've configured Apache as a reverse proxy in the following kind of
arrangement:

Client's browser -------> Apache Reverse Proxy ------> External Server


When the External Server requires Basic Authentication or SSL from the
client, this works fine through the proxy. I have configured this using
a RewriteRule with the "Use Proxy" option like so:

RewriteRule ^/call/(.*)$ $1 [P]


However this setup does not seem to work when I want to pass a Client
Certificate from the browser to the External Server for Authentication.
I get the following error messages:

[Thu Mar 08 11:43:29 2007] [warn] Proxy client certificate callback:
(localhost:80) downstream server wanted client certificate but none are
configured
[Thu Mar 08 11:43:29 2007] [error] (502)Unknown error: proxy: pass
request body failed to 10.43.125.11:8443

It seems as if the reverse proxy isn't passing through the client
certificate from the browser. I realise that it is possible to setup the
reverse proxy with a client certificate, but I need the client
certificate to come from the client's browser.

Does anyone have any suggestions about how to configure the reverse
proxy to "pass through" client certificates? 

Thanks for your help...

Daniel Alexiuc




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message