httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yasser arafat <yarafa...@gmail.com>
Subject Re: [users@httpd] Apache module suitable for SSL passthrough
Date Fri, 04 Mar 2011 16:46:08 GMT
Thank you Sandy and Tom,

It worked.
My question should have been to know the transfer of client certificate
rather than making SSL pass through.\


Thanks,
Yasser


On Thu, Mar 3, 2011 at 2:13 PM, Voellinger, Sandy <
Sandy.Voellinger@neustar.biz> wrote:

> Yasser -
>
> As Tom mentioned in  his response, you must terminate SSL, there is no
> "passthrough".  However, what I think you are looking for is the ability to
> do terminiate SSL at apache and pass the client certificate as part of the
> request that you forward to Jboss.  If this is the case, you can do the
> following with mod_jk/apache:
>
> Within your vhost context:
>
> #Define your ssl bits as needed to correctly terminate the two way
> handshake:
> SSLEngine on
>        SSLCertificateKeyFile $FULL_PATH_TO_FILENAME
>        SSLCertificateChainFile $FULL_PATH_TO_FILENAME
>        SSLCACertificateFile $FULL_PATH_TO_FILENAME
>        SSLCertificateFile $FULL_PATH_TO_FILENAME
>        SSLInsecureRenegotiation on
>
>
>
> # The following directive will include the client certificate that is
> presented for 2way ssl in the data sent to your application server:
>
> SSLOptions +ExportCertData +StdEnvVars
>
>
>
> If you use mod_jk to pass your connection from apache to jboss, you'll need
> to define  the following:
>
> uriworkermap.properties:
> /path/to/url/you/want/to/forward*=$WORKER_NAME
>
>
> workers.properties:
> worker.list=$WORKER_NAME
> worker.node1.port=$JBOSS_LISTENING_PORT
> worker.node1.host=$JBOSS_HOSTNAME_OR_IP
> worker.node1.type=ajp13
> worker.node1.ping_mode=A
> worker.node1.socket_timeout=20
>
> Cheers-
> Sandy
>
>
>
>
>
> -----Original Message-----
> From: Tom Evans [mailto:tevans.uk@googlemail.com]
> Sent: Thursday, March 03, 2011 12:45 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Apache module suitable for SSL passthrough
>
> On Thu, Mar 3, 2011 at 5:12 PM, yasser arafat <yarafatin@gmail.com> wrote:
> > Hello all,
> >
> > My JBoss app server has mutual SSL authentication setup (We do some
> > processing based on the client certificate).
> >
> > I need to have a web server in front of JBoss. Which is the best apache
> > module that can do an SSL passthrough to JBoss?
> >
> >
> >
> > Thank and regards,
> >
> > Yasser
> >
> >
>
> There is no such thing as SSL pass through - SSL is an end to end
> encryption protocol, there can be no middle.
>
> You can do SSL termination on apache and forward the appropriate
> sections of the client certificate through to jboss as custom HTTP
> headers. You cannot do SSL termination on apache and re-present the
> client certificate to jboss.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message