httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei T <magistra...@hot.ee>
Subject [users@httpd] Client certificate authentication on tunneling proxy
Date Thu, 21 Jan 2010 01:35:41 GMT
Hi,

I am trying to figure out if it is possible to configure Apache (any 
version) so that it would work as a tunneling proxy for HTTPS servers 
such that it would also verify the client certificates used to access 
those servers. The goal is to protect servers on the internal network 
from unauthorized access (even if the certificate check on the target 
server fails and connection will be broken).

I tried configuring HTTPS virtual host on Apache so that it accepts 
proxy tunneling requests and the server starts up fine, but it fails to 
handle the CONNECT requests. The connection just closes with no error 
appearing in the apache log.

I used telnet-ssl to connect to Apache and passed the following request:
CONNECT target-server:80 HTTP/1.1
Host: target-server:80

The same worked fine when I connected to Apache through plain HTTP.

The Apache 2.2.8 (OpenSUSE 11.0) config I am using is:

<VirtualHost _default_:443>
         ProxyRequests On
         AllowCONNECT 443 80

         ErrorLog /var/log/apache2/error_log
         TransferLog /var/log/apache2/access_log
         CustomLog /var/log/apache2/ssl_request_log   ssl_combined

         SSLEngine on
         SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
         SSLCertificateFile /etc/apache2/ssl.crt/server.crt
         SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
</VirtualHost>

Any help would be appreciated.

Thanks,
-- 
Andrei T

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message