httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sittampalam, Nagu" <Nagu.Sittampa...@southampton.gov.uk>
Subject RE: [users@httpd] RE: SSL bridging with Apache reverse proxy
Date Thu, 23 Jan 2014 21:28:26 GMT
It is trying to use certificate to authenticate the clients and for that it must pass that
authentication information through. Not sure if you have seen this
Proxy Web Servers for Internet-Based Client Management<javascript:void(0)>
________________________________
If the site supports Internet-based client management, and you are using a proxy web server
by using SSL termination (bridging) for incoming Internet connections, the proxy web server
has the certificate requirements listed in the following table.
Note

If you are using a proxy web server without SSL termination (tunneling), no additional certificates
are required on the proxy web server.


Network infrastructure component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Proxy web server accepting client connections over the Internet

Server authentication and client authentication


  1.  Web Server
  2.  Workstation Authentication

Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are
using Microsoft certificate templates, the Subject Alternative Name is available with the
workstation template only).
SHA-1 and SHA-2 hash algorithms are supported.

This certificate is used to authenticate the following servers to Internet clients and to
encrypt all data transferred between the client and this server by using SSL:

  *   Internet-based management point
  *   Internet-based distribution point
  *   Internet-based software update point
The client authentication is used to bridge client connections between the System Center 2012
Configuration Manager clients and the Internet-based site systems.




Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.

From: Jeff Trawick [mailto:trawick@gmail.com]
Sent: 23 January 2014 21:10
To: users@httpd.apache.org
Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy

On Thu, Jan 23, 2014 at 9:14 AM, Sittampalam, Nagu <Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>>
wrote:
What we are trying achieve is like you said   SSL termination at Apache httpd  and reverse
proxy to backend server over SSL but we need to send through client authentication header.
 This is so we can give internet based  clients access to our Microsoft SCCM 2012  management
point.  Would you be able to point to any documents on how to do this please.   Below what
Microsoft say about it.

*         SSL bridging to SSL:

The recommended configuration when you use proxy web servers for Internet-based client management
is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must
be authenticated by using computer authentication, and mobile device legacy clients are authenticated
by using user authentication. Mobile devices that are enrolled by Configuration Manager do
not support SSL bridging.

The benefit of SSL termination at the proxy web server is that packets from the Internet are
subject to inspection before they are forwarded to the internal network. The proxy web server
authenticates the connection from the client, terminates it, and then opens a new authenticated
connection to the Internet-based site systems. When Configuration Manager clients use a proxy
web server, the client identity (client GUID) is securely contained in the packet payload
so that the management point does not consider the proxy web server to be the client. Bridging
is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP.


It is a mystery to me.  The language in the MS document seems to be referring to some information
other than the normal HTTP headers that must be replicated to the back-end connection.




Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.

From: Jeff Trawick [mailto:trawick@gmail.com<mailto:trawick@gmail.com>]
Sent: 23 January 2014 14:01

To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy

On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu <Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>>
wrote:
Thank you for the response and yes it is not reverse proxy anymore. Is my assumption correct
that Apache reverse proxy is not cable of doing SSL bridging?

I'm not familiar with the term "SSL bridging".  I see a description of "SSL bridging" in BIG-IP
here:  http://www.f5.com/glossary/ssl-bridging/   Apache httpd does not have that capability.
 But Microsoft has a different description of "SSL bridging" here: http://technet.microsoft.com/en-us/library/cc722817.aspx

What are you trying to accomplish?  SSL termination at Apache httpd, and reverse proxy to
backend server over SSL?  Yes, that is implemented.



Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.

From: Jeff Trawick [mailto:trawick@gmail.com<mailto:trawick@gmail.com>]
Sent: 23 January 2014 13:29
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy

On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu <Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>>
wrote:
Hello

I did not get any response to my below email so I assume SSL bridging cannot be done on Apache
reverse proxy.   So wanted to know if it is possible to do SSL tunnelling with Apache reverse
proxy?

"Reverse" proxy hides the backend server from the client, and the httpd doing the proxying
is the SSL termination point.  I don't think you mean to refer to "reverse" proxy.

See the notes on the CONNECT protocol support here:

http://httpd.apache.org/docs/2.4/mod/mod_proxy_connect.html


Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.


_____________________________________________
From: Sittampalam, Nagu
Sent: 17 January 2014 08:05
To: 'users@httpd.apache.org<mailto:users@httpd.apache.org>'
Subject: SSL bridging with Apache reverse proxy


Hello

Is it possible to do SLL bridging with Apache reverse proxy?  Searching on the internet most
result suggest it does not work.  We want to use Apache reverse proxy to allow internet clients
to connect to our Microsoft SCCM 2012 server. This requires SLL bridging with the ability
to pass through client authentication  header information.

Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.






--
Born in Roswell... married an alien...
http://emptyhammock.com/



--
Born in Roswell... married an alien...
http://emptyhammock.com/



--
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message