httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leon" <wangxuz...@gmail.com>
Subject [users@httpd] Configure a Forward Proxy that inspect client certificate
Date Thu, 22 Oct 2015 20:44:24 GMT
Hi,

I've configured a forward proxy by enabling the "ProxyRequests" switch in
the mod_proxy module. It forwards client traffic to origin server perfectly.
But we have a requirement (for security purpose) that we need to inspect TLS
handshake between the client and server. To be specific, following two
should be met in order for the proxy to allow the connection:

    1. The origin server address must be in our whitelist, and the server
must provide a correct server certificate during TLS handshake
    2. The client must provide a client certificate during TLS handshake.
And the certificate's subject must be in our whitelist. 

Is there a way I can do that in forward proxy mode? Any suggestion is
appreciated!

Following is my proxy configuration:

Listen 8080
<VirtualHost _default_:8080>
DocumentRoot "${SRVROOT}/htdocs"
ServerName www.example.com:8080
ServerAdmin admin@example.com
ErrorLog "${SRVROOT}/logs/error.log"

ProxyRequests On
ProxyVia On

SSLOptions +StdEnvVars
SSLProxyVerify require
SSLProxyCheckPeerCN on
SSLProxyCheckPeerName on

<Proxy "*">
</Proxy>

CustomLog "${SRVROOT}/logs/zz.log" \
          "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x Server_DN:
%{SSL_SERVER_S_DN}x Client_DN: %{SSL_CLIENT_S_DN}x \"%r\" %>s %b"
</VirtualHost>


Thanks!
Leon


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message