httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Schöchlin ...@256bit.org>
Subject Re: [users@httpd] Client certificate auth behind f5 loadbalancer
Date Sun, 29 Jun 2014 20:33:35 GMT
Hi,

thanks for your response.

I know that F5 loadbalancers can do this - unfortunately i use a shared
loadbalancer without the possibility to do fast changes to the
certificate revocation list.

Regards
Marc

 
Am 28.06.2014 19:54, schrieb Marco Pizzoli:
> Hi Marc,
> as F5 user maybe you are not yet aware that with F5, leveraging
> iRules, you can:
> - implement client cert verification/validation, also specifically
> checking the CN of the certificate
> - publish to the apache backend custom HTTP headers carrying
> informations extracted from the client certificate
>
> Both cases are well documented on the F5 site. The first one in
> particular I can say by having implemented on my own.
>
> Is it something useful to your case?
>
> Regards
> Marco
>
>
>
>
> On Sat, Jun 28, 2014 at 5:04 PM, Marc Schöchlin <ms@256bit.org
> <mailto:ms@256bit.org>> wrote:
>
>     Hi,
>
>     On 06/26/2014 04:08 PM, Andre.Wendel@bmw.de
>     <mailto:Andre.Wendel@bmw.de> wrote:
>     > Why do you terminate the ssl on the F5 and not on the
>     Apache-backend? We load balance IP/Port-based on the F5 and
>     terminate the SSL on the Apache backend, so you would be able to
>     turn on your SSLEngine and Proxy the SSL from the F5 on the SSL
>     Standard SSL Port 443 of the Apache and you can do everything you
>     want because you have all SSL information.
>
>     i use a wildcard certificate on my frontend ip to do irule-based
>     (looking for the hostheader) backend pool selection.
>     Therefore it would be good to terminate ssl in the f5.
>
>     I will now use a new frontend ip on the loadbalancer and i then i
>     will forward the traffic to the backend servers....
>
>     Regards
>     Marc
>
>     --
>     GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net
>     <http://pool.sks-keyservers.net>
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     <mailto:users-unsubscribe@httpd.apache.org>
>     For additional commands, e-mail: users-help@httpd.apache.org
>     <mailto:users-help@httpd.apache.org>
>
>


Mime
View raw message