httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject [users@httpd] how to setup authentication on webserver behind a reverse proxy with x509 certificate
Date Tue, 14 Feb 2012 13:31:33 GMT

I would like to do this architecture:
- a reverse proxy (based on apache 2.2.10-2.24.5) that do client
authentication with x509 certificate. The user access is validated by an
ldap server.
- a web server (based on apache 2.2.10-2.24.5) that run mod_dav with
specific user access filtering

I setup the reverse proxy with this configuration :

<Proxy balancer://webdavcluster>
<VirtualHost _default_:443>

        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log
        CustomLog /var/log/apache2/ssl_request_log   ssl_combined
        SSLEngine On
        SSLProxyEngine On
        SSLCertificateFile /etc/apache2/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
        SSLVerifyClient require
        SSLVerifyDepth 3
        SSLOptions +FakeBasicAuth +ExportCertData
        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
        ServerName webdav
        ServerAlias webdav
        <Location />
        AuthType Basic
        AuthName "Intranet"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off
        AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X"
        AuthLDAPBindPassword X
        Require valid-user
        ProxyPass /balancer-manager !
        ProxyPass / balancer://webdavcluster/
        ProxyPassReverse / balancer://webdavcluster/

On the web server, I configure :

<Directory "/srv/www/htdocs">
AllowOverride None
Order allow,deny
 Allow from all
Options Indexes FollowSymLinks
AuthName "WEBDav server"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN "cn=X,ou=Technical,dc=X,dc=X,dc=X,dc=X"
AuthLDAPBindPassword X
require valid-user

On the webserver logs, I found this message : [Tue Feb 14 14:00:42 2012]
[error] [client] Encountered FakeBasicAuth spoof:

It looks like error due to FakeBasicAuth option used on the reverse
proxy but when I removed it on the reverse proxy, the reverse proxy
doesn't authenticate user with the ldap.

So my question is how to do user validation on the web server based on
information send by the reverse proxy or how to filter access to
specific directory ?

Thanks for your help
Francois-Xavier THORET


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees
et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par
erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant
susceptibles d'alteration,
France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci

This message and its attachments may contain confidential or privileged information that may
be protected by law;
they should not be distributed, used or copied without authorization.
If you have received this email in error, please notify the sender and delete this message
and its attachments.
As emails may be altered, France Telecom - Orange shall not be liable if this message was
modified, changed or falsified.
Thank you.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message