httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [users@httpd] RE: SSL bridging with Apache reverse proxy
Date Thu, 23 Jan 2014 21:09:41 GMT
On Thu, Jan 23, 2014 at 9:14 AM, Sittampalam, Nagu <
Nagu.Sittampalam@southampton.gov.uk> wrote:

>  What we are trying achieve is like you said   SSL termination at Apache
> httpd  and reverse proxy to backend server over SSL but we need to send
> through client authentication header.  This is so we can give internet
> based  clients access to our Microsoft SCCM 2012  management point.  Would
> you be able to point to any documents on how to do this please.   Below
> what Microsoft say about it.
>
>
>
> ยท         SSL bridging to SSL:
>
> The recommended configuration when you use proxy web servers for
> Internet-based client management is SSL bridging to SSL, which uses SSL
> termination with authentication. Client computers must be authenticated by
> using computer authentication, and mobile device legacy clients are
> authenticated by using user authentication. Mobile devices that are
> enrolled by Configuration Manager do not support SSL bridging.
>
> The benefit of SSL termination at the proxy web server is that packets
> from the Internet are subject to inspection before they are forwarded to
> the internal network. The proxy web server authenticates the connection
> from the client, terminates it, and then opens a new authenticated
> connection to the Internet-based site systems. When Configuration Manager
> clients use a proxy web server, the client identity (client GUID) is
> securely contained in the packet payload so that the management point does
> not consider the proxy web server to be the client. Bridging is not
> supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to
> HTTP.
>
>
>

It is a mystery to me.  The language in the MS document seems to be
referring to some information other than the normal HTTP headers that must
be replicated to the back-end connection.




>
>
> Nagu Sittampalam | Security Team Leader , IT Solutions Division |
> Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax:
> 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail
> Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall
> Square, Above Bar, Southampton, SO14 7FP
> This email and any files transmitted with it are confidential, and may be
> subject to legal privilege, and are intended solely for the use of the
> individual or entity to whom they are addressed.
> If you have received this email in error or think you may have done so,
> you may not peruse, use, disseminate, distribute or copy this message.
> Please notify the sender immediately and delete the original e-mail from
> your system.
>
>
>
> *From:* Jeff Trawick [mailto:trawick@gmail.com]
> *Sent:* 23 January 2014 14:01
>
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] RE: SSL bridging with Apache reverse proxy
>
>
>
> On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu <
> Nagu.Sittampalam@southampton.gov.uk> wrote:
>
> Thank you for the response and yes it is not reverse proxy anymore. Is my
> assumption correct that Apache reverse proxy is not cable of doing SSL
> bridging?
>
>
>
> I'm not familiar with the term "SSL bridging".  I see a description of
> "SSL bridging" in BIG-IP here:  http://www.f5.com/glossary/ssl-bridging/  Apache httpd
does not have that capability.  But Microsoft has a
> different description of "SSL bridging" here:
> http://technet.microsoft.com/en-us/library/cc722817.aspx
>
>
>
> What are you trying to accomplish?  SSL termination at Apache httpd, and
> reverse proxy to backend server over SSL?  Yes, that is implemented.
>
>
>
>
>
>
>
> Nagu Sittampalam | Security Team Leader , IT Solutions Division |
> Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax:
> 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail
> Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall
> Square, Above Bar, Southampton, SO14 7FP
> This email and any files transmitted with it are confidential, and may be
> subject to legal privilege, and are intended solely for the use of the
> individual or entity to whom they are addressed.
> If you have received this email in error or think you may have done so,
> you may not peruse, use, disseminate, distribute or copy this message.
> Please notify the sender immediately and delete the original e-mail from
> your system.
>
>
>
> *From:* Jeff Trawick [mailto:trawick@gmail.com]
> *Sent:* 23 January 2014 13:29
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] RE: SSL bridging with Apache reverse proxy
>
>
>
> On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu <
> Nagu.Sittampalam@southampton.gov.uk> wrote:
>
> Hello
>
>
>
> I did not get any response to my below email so I assume SSL bridging
> cannot be done on Apache reverse proxy.   So wanted to know if it is
> possible to do SSL tunnelling with Apache reverse proxy?
>
>
>
> "Reverse" proxy hides the backend server from the client, and the httpd
> doing the proxying is the SSL termination point.  I don't think you mean to
> refer to "reverse" proxy.
>
>
>
> See the notes on the CONNECT protocol support here:
>
>
>
> http://httpd.apache.org/docs/2.4/mod/mod_proxy_connect.html
>
>
>
>
>
> Nagu Sittampalam | Security Team Leader , IT Solutions Division |
> Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax:
> 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail
> Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall
> Square, Above Bar, Southampton, SO14 7FP
> This email and any files transmitted with it are confidential, and may be
> subject to legal privilege, and are intended solely for the use of the
> individual or entity to whom they are addressed.
> If you have received this email in error or think you may have done so,
> you may not peruse, use, disseminate, distribute or copy this message.
> Please notify the sender immediately and delete the original e-mail from
> your system.
>
>
>
>
>
> _____________________________________________
> *From:* Sittampalam, Nagu
> *Sent:* 17 January 2014 08:05
> *To:* 'users@httpd.apache.org'
> *Subject:* SSL bridging with Apache reverse proxy
>
>
>
>
>
> Hello
>
>
>
> Is it possible to do SLL bridging with Apache reverse proxy?  Searching on
> the internet most result suggest it does not work.  We want to use Apache
> reverse proxy to allow internet clients to connect to our Microsoft SCCM
> 2012 server. This requires SLL bridging with the ability to pass through
> client authentication  header information.
>
>
>
> Nagu Sittampalam | Security Team Leader , IT Solutions Division |
> Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax:
> 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail
> Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall
> Square, Above Bar, Southampton, SO14 7FP
> This email and any files transmitted with it are confidential, and may be
> subject to legal privilege, and are intended solely for the use of the
> individual or entity to whom they are addressed.
> If you have received this email in error or think you may have done so,
> you may not peruse, use, disseminate, distribute or copy this message.
> Please notify the sender immediately and delete the original e-mail from
> your system.
>
>
>
>
>
>
>
>
>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
>
>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message