httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Andre.Wen...@bmw.de>
Subject AW: [users@httpd] Client certificate auth behind f5 loadbalancer
Date Thu, 26 Jun 2014 14:08:58 GMT
Why do you terminate the ssl on the F5 and not on the Apache-backend? We load balance IP/Port-based
on the F5 and terminate the SSL on the Apache backend, so you would be able to turn on your
SSLEngine and Proxy the SSL from the F5 on the SSL Standard SSL Port 443 of the Apache and
you can do everything you want because you have all SSL information.

Cheers,
André

-----Ursprüngliche Nachricht-----
Von: Eric Covener [mailto:covener@gmail.com] 
Gesendet: Donnerstag, 26. Juni 2014 00:05
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Client certificate auth behind f5 loadbalancer

On Wed, Jun 25, 2014 at 5:53 PM, Marc Schöchlin <ms@256bit.org> wrote:
> in my understanding authentication using client certificates is just a
> cryptographic validation of a public/private keypair over a already
> established ssl-secured channel.
> For example, it is possible to use a official certificate for the ssl
> channel and my own ca for client certificate validation.

It's part of the handshake, which can be later scrutinized by the
application layer.

However, there is no standard way to share the the client certificate
authenticated by a proxy with a backend origin server, and no way at
all that mod_ssl is willing to receive (that I am aware of)

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Mime
View raw message