httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sittampalam, Nagu" <Nagu.Sittampa...@southampton.gov.uk>
Subject RE: [users@httpd] RE: SSL bridging with Apache reverse proxy
Date Thu, 23 Jan 2014 14:14:45 GMT
What we are trying achieve is like you said   SSL termination at Apache httpd  and reverse
proxy to backend server over SSL but we need to send through client authentication header.
 This is so we can give internet based  clients access to our Microsoft SCCM 2012  management
point.  Would you be able to point to any documents on how to do this please.   Below what
Microsoft say about it.

*         SSL bridging to SSL:

The recommended configuration when you use proxy web servers for Internet-based client management
is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must
be authenticated by using computer authentication, and mobile device legacy clients are authenticated
by using user authentication. Mobile devices that are enrolled by Configuration Manager do
not support SSL bridging.

The benefit of SSL termination at the proxy web server is that packets from the Internet are
subject to inspection before they are forwarded to the internal network. The proxy web server
authenticates the connection from the client, terminates it, and then opens a new authenticated
connection to the Internet-based site systems. When Configuration Manager clients use a proxy
web server, the client identity (client GUID) is securely contained in the packet payload
so that the management point does not consider the proxy web server to be the client. Bridging
is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP.


Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.

From: Jeff Trawick [mailto:trawick@gmail.com]
Sent: 23 January 2014 14:01
To: users@httpd.apache.org
Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy

On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu <Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>>
wrote:
Thank you for the response and yes it is not reverse proxy anymore. Is my assumption correct
that Apache reverse proxy is not cable of doing SSL bridging?

I'm not familiar with the term "SSL bridging".  I see a description of "SSL bridging" in BIG-IP
here:  http://www.f5.com/glossary/ssl-bridging/   Apache httpd does not have that capability.
 But Microsoft has a different description of "SSL bridging" here: http://technet.microsoft.com/en-us/library/cc722817.aspx

What are you trying to accomplish?  SSL termination at Apache httpd, and reverse proxy to
backend server over SSL?  Yes, that is implemented.



Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.

From: Jeff Trawick [mailto:trawick@gmail.com<mailto:trawick@gmail.com>]
Sent: 23 January 2014 13:29
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy

On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu <Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>>
wrote:
Hello

I did not get any response to my below email so I assume SSL bridging cannot be done on Apache
reverse proxy.   So wanted to know if it is possible to do SSL tunnelling with Apache reverse
proxy?

"Reverse" proxy hides the backend server from the client, and the httpd doing the proxying
is the SSL termination point.  I don't think you mean to refer to "reverse" proxy.

See the notes on the CONNECT protocol support here:

http://httpd.apache.org/docs/2.4/mod/mod_proxy_connect.html


Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.


_____________________________________________
From: Sittampalam, Nagu
Sent: 17 January 2014 08:05
To: 'users@httpd.apache.org<mailto:users@httpd.apache.org>'
Subject: SSL bridging with Apache reverse proxy


Hello

Is it possible to do SLL bridging with Apache reverse proxy?  Searching on the internet most
result suggest it does not work.  We want to use Apache reverse proxy to allow internet clients
to connect to our Microsoft SCCM 2012 server. This requires SLL bridging with the ability
to pass through client authentication  header information.

Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.






--
Born in Roswell... married an alien...
http://emptyhammock.com/



--
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message