Re: Selecting SSLProxyMachineCertificateFile based on destination address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2015-03-23 20:01 GMT+01:00 Abdelouahed Haitoute <ahaitoute@xxxxxxxx>:
Hello,

I’m trying to setup a proxy server which selects the correct certificate based on destination IP-address. I’m using apache 2.4 on CentOS 6.6.

I’m using the following configuration:

<VirtualHost *:3128>
  SSLProxyEngine On
  SSLProxyVerify require
  SSLProxyVerifyDepth 10
  <If "%{REMOTE_ADDR} -ipmatch '192.168.0.0/24'">
    SSLProxyMachineCertificateFile /etc/pki/tls/certs/example.com.cer
    SSLProxyCACertificateFile   /etc/pki/tls/certs/ca.cer
  </If>
  <Else>
    SSLProxyMachineCertificateFile /etc/pki/tls/certs/example.org.cer
    SSLProxyCACertificateFile   /etc/pki/tls/certs/ca.cer
  </Else>

  RewriteEngine On
  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]

  ProxyPreserveHost On
  ProxyPass            /  https://$1/
  ProxyPassReverse     /  https://$1/
</VirtualHost>

But I’m getting the following error when I start the httpd service:
Starting httpd: AH00526: Syntax error on line 8 of /opt/rh/httpd24/root/etc/httpd/conf.d/forward_ssl_proxy.conf:
SSLProxyMachineCertificateFile not allowed here
                                                           [FAILED]

Can someone help me how to achieve my goal by using the correct certificate based on destination address?

With kind regards,

Abdelouahed


Hello,

Your configuration is confusing.

Are you really trying to reverse proxy, or forward proxying your local network with destination outside to any url in Internet?


 
REMODE_ADDRESS
This variables checks SOURCE IP of the client connecting to your server, it is not a destination IP as you mention.

If you really want to check source IP for some particular reason, you can't use SSLProxyMachineCertificateFile in that context because that directive can only be used in server config, and it should have all certificates in one single file, so you really don't need to define it twice, or define it conditionally as you are trying to do:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile



Now onto the proxy directives....

You also have two lines to do the same thing, but incorrectly:
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]
ProxyPass            /  https://$1/ <-- this does the same as above but it is incorrect as ProxyPass has no value for $1 AFAIK and first rewriterule is essentially doing the same, so use one of the other.

HTTP_HOST implies the client can request any url and you will try to proxy to it, so for all purposes you seem to want <Proxy *> instead of ProxyPass/RewriteRule. In this were the case you certainly don't need to check certificate according to destination.




So... if you want to do reverse proxy because there are only limited destinations, by all means, specify them manually instead of using HTTP_HOST and use ProxyPass as you are trying.

like:
in serverconfig 
SSLProxyMachineCertificateFile /path/to/catchallfile.pem

then
<VirtualHost *:3128>
ServerName example.com
(SSLProxy directives here...)
ProxyRequests off
ProxyPass / https://example.com/
<VirtualHost>
<VirtualHost *:3128>
ServerName example.org
(SSLProxy directives here...)
ProxyRequests off
ProxyPass / https://example.org/
<VirtualHost>

And if you want to FORWARD Proxy then:

<VirtualHost *:3128>
ProxyRequests on
<Proxy *>
Require ip range <--- in case you want to allow proxy only from specific ips
</Proxy>
AllowCONNECT 443


Hope this helps.

Regards,


--
Daniel Ferradal
IT Specialist

email         dferradal@xxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux