httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Schöchlin ...@256bit.org>
Subject [users@httpd] Client certificate auth behind f5 loadbalancer
Date Wed, 25 Jun 2014 19:08:56 GMT
Hello apache-users,

i'm trying to implement client certificate authentication behind a f5
loadbalancer.

My loadbalancer terminates ssl, and dispatches the decrypted
communication via network address translation to the backend apache server.
The client certificate auth should be performed at the webserver.

Unfortunately the "SSLVerifyClient" directive is ignored and access is
always granted.
It seems that without enabled ssl transport encryption, the logic for
"SSLVerifyClient" is deactivated.


Any hints?

Setup Overview:

[Browser with client cert]-----<HTTPS/443>----->[Loadbalancer with SSL
termination]------<HTTP/80>------>[Apache 2.2.11]

Apache Configuration:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<VirtualHost *:80>
    DocumentRoot "/data/etc/htdocs"

    ServerName fooo-bar-test.foooooooo.de

    CustomLog "|/usr/sbin/rotatelogs -l
/data/logs/access-guisel-test.foooooooo.de.%Y-%m-%d.log 86400"
combined_foobar_withdomain
    ErrorLog "|/usr/sbin/rotatelogs -l
/data/logs/error-guisel-test.foooooooo.de.%Y-%m-%d.log 86400"

        SSLCACertificateFile /datashare/etc/ca/keys/ca.crt
        # SSLCARevocationFile /datashare/etc/ca/keys/ca.crl

    <Location />
        SSLVerifyClient require
        SSLVerifyDepth 10
        SSLRequire        %{SSL_CLIENT_S_DN_O}  eq "Foobar"
        Satisfy all
    </Location>

</VirtualHost>
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Regards Marc

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message