Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7B24610CDA for ; Thu, 23 Jan 2014 21:10:11 +0000 (UTC) Received: (qmail 60379 invoked by uid 500); 23 Jan 2014 21:10:08 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 60332 invoked by uid 500); 23 Jan 2014 21:10:07 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 60324 invoked by uid 99); 23 Jan 2014 21:10:07 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jan 2014 21:10:07 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of trawick@gmail.com designates 209.85.215.46 as permitted sender) Received: from [209.85.215.46] (HELO mail-la0-f46.google.com) (209.85.215.46) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jan 2014 21:10:03 +0000 Received: by mail-la0-f46.google.com with SMTP id b8so1909853lan.19 for ; Thu, 23 Jan 2014 13:09:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ojwZKl2eu5Gb//NNDnOO7qUSEoKKDbOxkz7X9c/9nQE=; b=ac1mB5vjnM4l3VWuPAgvGM5N11H1kyKl+1D1i9PAUkKW9V2OLElfX8YqMaGayNsEiX Vl48aT961WuTXy4zEfl+KHe16pNpIFtE0rTHdQ7119Ktf8qqwWP8RiB2rSzAHO8YWvfb bOgP02mAs3quQgzNJHfg2Q3zNL8cgEWzPvBHWCVYux2bTOKmoSQmKr3GwxJtr/LO4baY 5+V+XPv1/XIvAUdBQtoJSGuHXKsloSjGwuMm/poCCjtJSl4vJ3jUcUsFGnQuqgHSdahE yM8TQ+dTNwKgWIUTvxuN/JxgTsS8jT8P6czKSAOskGwuuIAu3Kknlj4xPWbn9crcDZEA 7bIw== MIME-Version: 1.0 X-Received: by 10.152.163.69 with SMTP id yg5mr3478323lab.33.1390511381992; Thu, 23 Jan 2014 13:09:41 -0800 (PST) Received: by 10.114.11.170 with HTTP; Thu, 23 Jan 2014 13:09:41 -0800 (PST) In-Reply-To: <35CF7E77FA256D46888B732DD32D2D4202BA48@svr-grn-exchng2.corp.southampton.gov.uk> References: <35CF7E77FA256D46888B732DD32D2D4202B730@svr-grn-exchng2.corp.southampton.gov.uk> <35CF7E77FA256D46888B732DD32D2D4202B91F@svr-grn-exchng2.corp.southampton.gov.uk> <35CF7E77FA256D46888B732DD32D2D4202BA48@svr-grn-exchng2.corp.southampton.gov.uk> Date: Thu, 23 Jan 2014 16:09:41 -0500 Message-ID: From: Jeff Trawick To: "users@httpd.apache.org" Content-Type: multipart/alternative; boundary=001a11336d90fad82a04f0a9a81f X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse proxy --001a11336d90fad82a04f0a9a81f Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Thu, Jan 23, 2014 at 9:14 AM, Sittampalam, Nagu < Nagu.Sittampalam@southampton.gov.uk> wrote: > What we are trying achieve is like you said SSL termination at Apache > httpd and reverse proxy to backend server over SSL but we need to send > through client authentication header. This is so we can give internet > based clients access to our Microsoft SCCM 2012 management point. Woul= d > you be able to point to any documents on how to do this please. Below > what Microsoft say about it. > > > > =B7 SSL bridging to SSL: > > The recommended configuration when you use proxy web servers for > Internet-based client management is SSL bridging to SSL, which uses SSL > termination with authentication. Client computers must be authenticated b= y > using computer authentication, and mobile device legacy clients are > authenticated by using user authentication. Mobile devices that are > enrolled by Configuration Manager do not support SSL bridging. > > The benefit of SSL termination at the proxy web server is that packets > from the Internet are subject to inspection before they are forwarded to > the internal network. The proxy web server authenticates the connection > from the client, terminates it, and then opens a new authenticated > connection to the Internet-based site systems. When Configuration Manager > clients use a proxy web server, the client identity (client GUID) is > securely contained in the packet payload so that the management point doe= s > not consider the proxy web server to be the client. Bridging is not > supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to > HTTP. > > > It is a mystery to me. The language in the MS document seems to be referring to some information other than the normal HTTP headers that must be replicated to the back-end connection. > > > Nagu Sittampalam | Security Team Leader , IT Solutions Division | > Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax= : > 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail > Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall > Square, Above Bar, Southampton, SO14 7FP > This email and any files transmitted with it are confidential, and may be > subject to legal privilege, and are intended solely for the use of the > individual or entity to whom they are addressed. > If you have received this email in error or think you may have done so, > you may not peruse, use, disseminate, distribute or copy this message. > Please notify the sender immediately and delete the original e-mail from > your system. > > > > *From:* Jeff Trawick [mailto:trawick@gmail.com] > *Sent:* 23 January 2014 14:01 > > *To:* users@httpd.apache.org > *Subject:* Re: [users@httpd] RE: SSL bridging with Apache reverse proxy > > > > On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu < > Nagu.Sittampalam@southampton.gov.uk> wrote: > > Thank you for the response and yes it is not reverse proxy anymore. Is my > assumption correct that Apache reverse proxy is not cable of doing SSL > bridging? > > > > I'm not familiar with the term "SSL bridging". I see a description of > "SSL bridging" in BIG-IP here: http://www.f5.com/glossary/ssl-bridging/ = Apache httpd does not have that capability. But Microsoft has a > different description of "SSL bridging" here: > http://technet.microsoft.com/en-us/library/cc722817.aspx > > > > What are you trying to accomplish? SSL termination at Apache httpd, and > reverse proxy to backend server over SSL? Yes, that is implemented. > > > > > > > > Nagu Sittampalam | Security Team Leader , IT Solutions Division | > Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax= : > 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail > Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall > Square, Above Bar, Southampton, SO14 7FP > This email and any files transmitted with it are confidential, and may be > subject to legal privilege, and are intended solely for the use of the > individual or entity to whom they are addressed. > If you have received this email in error or think you may have done so, > you may not peruse, use, disseminate, distribute or copy this message. > Please notify the sender immediately and delete the original e-mail from > your system. > > > > *From:* Jeff Trawick [mailto:trawick@gmail.com] > *Sent:* 23 January 2014 13:29 > *To:* users@httpd.apache.org > *Subject:* Re: [users@httpd] RE: SSL bridging with Apache reverse proxy > > > > On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu < > Nagu.Sittampalam@southampton.gov.uk> wrote: > > Hello > > > > I did not get any response to my below email so I assume SSL bridging > cannot be done on Apache reverse proxy. So wanted to know if it is > possible to do SSL tunnelling with Apache reverse proxy? > > > > "Reverse" proxy hides the backend server from the client, and the httpd > doing the proxying is the SSL termination point. I don't think you mean = to > refer to "reverse" proxy. > > > > See the notes on the CONNECT protocol support here: > > > > http://httpd.apache.org/docs/2.4/mod/mod_proxy_connect.html > > > > > > Nagu Sittampalam | Security Team Leader , IT Solutions Division | > Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax= : > 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail > Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall > Square, Above Bar, Southampton, SO14 7FP > This email and any files transmitted with it are confidential, and may be > subject to legal privilege, and are intended solely for the use of the > individual or entity to whom they are addressed. > If you have received this email in error or think you may have done so, > you may not peruse, use, disseminate, distribute or copy this message. > Please notify the sender immediately and delete the original e-mail from > your system. > > > > > > _____________________________________________ > *From:* Sittampalam, Nagu > *Sent:* 17 January 2014 08:05 > *To:* 'users@httpd.apache.org' > *Subject:* SSL bridging with Apache reverse proxy > > > > > > Hello > > > > Is it possible to do SLL bridging with Apache reverse proxy? Searching o= n > the internet most result suggest it does not work. We want to use Apache > reverse proxy to allow internet clients to connect to our Microsoft SCCM > 2012 server. This requires SLL bridging with the ability to pass through > client authentication header information. > > > > Nagu Sittampalam | Security Team Leader , IT Solutions Division | > Southampton Strategic Services Partnership | Landline: 02380 833012 | Fax= : > 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail > Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall > Square, Above Bar, Southampton, SO14 7FP > This email and any files transmitted with it are confidential, and may be > subject to legal privilege, and are intended solely for the use of the > individual or entity to whom they are addressed. > If you have received this email in error or think you may have done so, > you may not peruse, use, disseminate, distribute or copy this message. > Please notify the sender immediately and delete the original e-mail from > your system. > > > > > > > > > > > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > > > > > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > --=20 Born in Roswell... married an alien... http://emptyhammock.com/ --001a11336d90fad82a04f0a9a81f Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On T= hu, Jan 23, 2014 at 9:14 AM, Sittampalam, Nagu <Nagu.Sit= tampalam@southampton.gov.uk> wrote:

What we are trying achiev= e is like you said =A0=A0SSL termination at Apache httpd =A0and reverse pro= xy to backend server over SSL but we need to send through client authentication header.=A0 This is so we can give internet based =A0clients= access to our Microsoft SCCM 2012=A0 management point. =A0Would you be abl= e to point to any documents on how to do this please. =A0=A0Below what Micr= osoft say about it.

=A0<= /p>

=B7=A0=A0=A0=A0=A0= =A0=A0=A0 SSL bridging to SSL:

The recommended configuration when you use proxy web servers for Internet-b= ased client management is SSL bridging to SSL, which uses SSL termination w= ith authentication. Client computers must be authenticated by using compute= r authentication, and mobile device legacy clients are authenticated by using user authentication. Mobile devi= ces that are enrolled by Configuration Manager do not support SSL bridging.=

The benefit of SSL termination at the proxy web server is that packets from= the Internet are subject to inspection before they are forwarded to the in= ternal network. The proxy web server authenticates the connection from the = client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. W= hen Configuration Manager clients use a proxy web server, the client identi= ty (client GUID) is securely contained in the packet payload so that the ma= nagement point does not consider the proxy web server to be the client. Bridging is not supported in Config= uration Manager with HTTP to HTTPS, or from HTTPS to HTTP.

=A0


It is a mystery to me. =A0Th= e language in the MS document seems to be referring to some information oth= er than the normal HTTP headers that must be replicated to the back-end con= nection.


=A0
=
<= p class=3D"MsoNormal">

=A0<= /p>

Nagu Sittampalam=A0| Securit= y Team Leader=A0, IT Solutions Division | Southampton Strategic Services Pa= rtnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Na= gu.Sittampalam@southampton.gov.uk | e-mail Nagu.Sit= tampalam@capita.co.uk | post Capita ITS, 1st Floor, One= Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with i= t are confidential, and may be subject to legal privilege, and are intended= solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you= may not peruse, use, disseminate, distribute or copy this message. Please = notify the sender immediately and delete the original e-mail from your syst= em.

=A0<= /p>

From: Jeff Trawick [mailto:trawick@gmail.com]
Sent: 23 January 2014 14:01


To: user= s@httpd.apache.org
Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse prox= y

=A0

On Thu, Jan 23, 2014 at 8:46 AM, Sittampalam, Nagu &= lt;Nagu.Sittampalam@southampton.gov.uk> wrote:

Thank you for the respons= e and yes it is not reverse proxy anymore. Is my assumption correct that Apache reverse proxy is not cable of doing SSL bridging?<= /u>

=A0

I'm not familiar with the term "SSL bridgin= g". =A0I see a description of "SSL bridging" in BIG-IP here:= =A0= http://www.f5.com/glossary/ssl-bridging/ =A0 Apache httpd does not have= that capability. =A0But Microsoft has a different description of "SSL bridging" h= ere:=A0http://technet.microsoft.com/en-us/library/cc722817.aspx=

=A0

What are you trying to accomplish? =A0SSL terminatio= n at Apache httpd, and reverse proxy to backend server over SSL? =A0Yes, th= at is implemented.

=A0

=A0

=A0<= /p>

Nagu Sittampalam=A0| Securit= y Team Leader=A0, IT Solutions Division | Southampton Strategic Services Pa= rtnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail Nagu.Sittampalam@capita.co.uk | post Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Sou= thampton, SO14 7FP
This email and any files transmitted with i= t are confidential, and may be subject to legal privilege, and are intended= solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you= may not peruse, use, disseminate, distribute or copy this message. Please = notify the sender immediately and delete the original e-mail from your syst= em.

=A0<= /p>

From: Jeff Trawick [mailto:tra= wick@gmail.com]
Sent: 23 January 2014 13:29
To: user= s@httpd.apache.org
Subject: Re: [users@httpd] RE: SSL bridging with Apache reverse prox= y

=A0

On Thu, Jan 23, 2014 at 6:48 AM, Sittampalam, Nagu &= lt;Nagu.Sittampalam@southampton.gov.uk> wrote:

Hello

=A0<= /p>

I did not get any respons= e to my below email so I assume SSL bridging cannot be done on Apache rever= se proxy.=A0=A0 So wanted to know if it is possible to do SSL tunnelling with= Apache reverse proxy?

=A0

"Reverse" proxy hides the backend server f= rom the client, and the httpd doing the proxying is the SSL termination poi= nt. =A0I don't think you mean to refer to "reverse" proxy.=

=A0

See the notes on the CONNECT protocol support here:<= u>

=A0

=A0

=A0<= /p>

Nagu Sittampalam=A0| Securit= y Team Leader=A0, IT Solutions Division | Southampton Strategic Services Pa= rtnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail Nagu.Sittampalam@capita.co.uk | post = Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7= FP
This email and any files transmitted with i= t are confidential, and may be subject to legal privilege, and are intended= solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you= may not peruse, use, disseminate, distribute or copy this message. Please = notify the sender immediately and delete the original e-mail from your syst= em.

=A0<= /p>

=A0<= /p>

________________________________________= _____
From: Sittampalam, Nagu
Sent: 17 January 2014 08:05
To: 'users@httpd.apache.org'
Subject: SSL bridging with Apache reverse proxy=

=A0

=A0

Hello

=A0

Is it possible to do SLL bridging with = Apache reverse proxy?=A0 Searching on the internet most result suggest it does not work.=A0 We want to use Apache reverse proxy to allow internet cl= ients to connect to our Microsoft SCCM 2012 server. This requires SLL bridg= ing with the ability to pass through client authentication=A0 header inform= ation.

=A0

Nagu Sittampalam=A0| Securit= y Team Leader=A0, IT Solutions Division | Southampton Strategic Services Pa= rtnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk | e-mail Nagu.Sittampalam@capita.co.uk | post = Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7= FP
This email and any files transmitted with i= t are confidential, and may be subject to legal privilege, and are intended= solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you= may not peruse, use, disseminate, distribute or copy this message. Please = notify the sender immediately and delete the original e-mail from your syst= em.

=A0

=A0

=A0



=A0

--
Born in Roswell... married an alien...
http://emptyhammock.= com/



=A0

--
Born in Roswell... married an alien...
http://emptyhammock.= com/




--
Born in Rosw= ell... married an alien...
http://emptyhammock.com/
--001a11336d90fad82a04f0a9a81f--