Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1CB9418642 for ; Thu, 22 Oct 2015 20:44:33 +0000 (UTC) Received: (qmail 87061 invoked by uid 500); 22 Oct 2015 20:44:30 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 87023 invoked by uid 500); 22 Oct 2015 20:44:29 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 87013 invoked by uid 99); 22 Oct 2015 20:44:29 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Oct 2015 20:44:29 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 4B45F1A251A for ; Thu, 22 Oct 2015 20:44:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.821 X-Spam-Level: X-Spam-Status: No, score=-0.821 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 6ybUMk87T3Jw for ; Thu, 22 Oct 2015 20:44:28 +0000 (UTC) Received: from mail-pa0-f46.google.com (mail-pa0-f46.google.com [209.85.220.46]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id BA4E820750 for ; Thu, 22 Oct 2015 20:44:27 +0000 (UTC) Received: by pasz6 with SMTP id z6so95971797pas.2 for ; Thu, 22 Oct 2015 13:44:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:thread-index:content-language; bh=ppe9NcCjZvEvs4+5gGbWDvNGlVoWlLssDHJZi/HxTvY=; b=tLugoHDF7f4BMHE5m/hiGhxe6MTYBGRMeBtUpBBIMnOP8Itsa4vtm9CgnaB/gtf56t vlG/GgQ/Fa9mcdGuAJQyDeAKmLCAFpybTvE5DhrpquVyfkRjffH/OZL+kZjkSWO1N4Y1 CAPykA+xzO5fA0E/A1uEq91Nj+i2jAfCtLCeqIHEEI1oBXSBlCaKKDH0tzqy537YiXbC ZfwBNohD4g+Kn+FduS6eoK3gL/lHAq0qs/t55MrRXJGSTkHTjZT422pXoZFH7FUwbt11 4NAz9TYWlCY5LV8vlG+RlhKhD5b/KhXXdomQtpxQEJepGu84FbpJaetzPeMJCP2d9ZHk ywvQ== X-Received: by 10.68.165.35 with SMTP id yv3mr497853pbb.53.1445546666522; Thu, 22 Oct 2015 13:44:26 -0700 (PDT) Received: from LEONDESK ([2001:4898:80e8:1::40c]) by smtp.gmail.com with ESMTPSA id x6sm15319308pbt.3.2015.10.22.13.44.25 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 22 Oct 2015 13:44:25 -0700 (PDT) From: "Leon" To: Date: Thu, 22 Oct 2015 13:44:24 -0700 Message-ID: <003101d10d0a$704b4470$50e1cd50$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdENBxHMXQPSi6bpTsCqR563rTIy+w== Content-Language: en-us Subject: [users@httpd] Configure a Forward Proxy that inspect client certificate Hi, I've configured a forward proxy by enabling the "ProxyRequests" switch in the mod_proxy module. It forwards client traffic to origin server perfectly. But we have a requirement (for security purpose) that we need to inspect TLS handshake between the client and server. To be specific, following two should be met in order for the proxy to allow the connection: 1. The origin server address must be in our whitelist, and the server must provide a correct server certificate during TLS handshake 2. The client must provide a client certificate during TLS handshake. And the certificate's subject must be in our whitelist. Is there a way I can do that in forward proxy mode? Any suggestion is appreciated! Following is my proxy configuration: Listen 8080 DocumentRoot "${SRVROOT}/htdocs" ServerName www.example.com:8080 ServerAdmin admin@example.com ErrorLog "${SRVROOT}/logs/error.log" ProxyRequests On ProxyVia On SSLOptions +StdEnvVars SSLProxyVerify require SSLProxyCheckPeerCN on SSLProxyCheckPeerName on CustomLog "${SRVROOT}/logs/zz.log" \ "%h %l %u %t %{SSL_PROTOCOL}x %{SSL_CIPHER}x Server_DN: %{SSL_SERVER_S_DN}x Client_DN: %{SSL_CLIENT_S_DN}x \"%r\" %>s %b" Thanks! Leon --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org