httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei T <magistra...@hot.ee>
Subject Re: [users@httpd] Client certificate authentication on tunneling proxy
Date Thu, 28 Jan 2010 08:16:26 GMT
Matus UHLAR - fantomas wrote:
> On 21.01.10 18:33, Andrei T wrote:
>> I am trying to connect to apache through SSL (port 443) and tell it to  
>> create a tunnel to some other server listening on port 80.
> 
> why a tunnel? Who would create the tunnel? While It's possible, I don't know
> of any browser that could do that.

This setup is not intended to be used by browsers. Instead a specially 
crafted client code will be dealing with that.

>> I have not tried fiddling with client certificates yet. There is no  
>> point in trying it if apache is not working even without them. My  
>> understanding that client certificate verification is possible only  
>> through an SSL connection. That's why I am trying to make apache run in  
>> HTTPS mode for proxying.
> 
> You can configure apache so that it would behave as proxy, https on
> receiving side with client certificate verification and proxying to another
> tunnels. Client would think that your apachs is the server.

If I understand correctly you are suggesting that client connects to 
apache (through HTTPS) and then apache establishes a separate HTTPS 
connection to the real target server?

The downside of this approach is that the target server and client do 
not see (verify) each other and the proxy becomes a sweat target: anyone 
taking over it would be able to talk to clients and target server and 
see all the traffic.

> You also could configure apache as proxy accessible through https (but
> clients afaik don't support https proxy) and configure clients to use this
> apache as proxy. But they would not issue CONNECT to port 80.

I tried configuring apache as a tunneling proxy through https, but in 
this scenario apache would not recognize the CONNECT request and would 
not establish a tunnel to the target server.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message