httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject Re: [users@httpd] Client certificate authentication on tunneling proxy
Date Thu, 28 Jan 2010 10:38:51 GMT
>> On 21.01.10 18:33, Andrei T wrote:
>>> I am trying to connect to apache through SSL (port 443) and tell it 
>>> to  create a tunnel to some other server listening on port 80.

> Matus UHLAR - fantomas wrote:
>> why a tunnel? Who would create the tunnel? While It's possible, I don't
>> know of any browser that could do that.

On 28.01.10 19:16, Andrei T wrote:
> This setup is not intended to be used by browsers. Instead a specially  
> crafted client code will be dealing with that.

I wonder why to have this setup at all.

>>> I have not tried fiddling with client certificates yet. There is no   
>>> point in trying it if apache is not working even without them. My   
>>> understanding that client certificate verification is possible only   
>>> through an SSL connection. That's why I am trying to make apache run 
>>> in  HTTPS mode for proxying.

>> You can configure apache so that it would behave as proxy, https on
>> receiving side with client certificate verification and proxying to another
>> tunnels. Client would think that your apachs is the server.

> If I understand correctly you are suggesting that client connects to  
> apache (through HTTPS) and then apache establishes a separate HTTPS  
> connection to the real target server?
>
> The downside of this approach is that the target server and client do  
> not see (verify) each other and the proxy becomes a sweat target: anyone  
> taking over it would be able to talk to clients and target server and  
> see all the traffic.

yes. but that's mostly common when using proxy. You want to use the proxy
through HTTPS and talk to the destination server via https? 
do you need the proxy in the middle? Why can't you connect to it through
HTTP if you'll tunnel https through?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message