Re: Mod_Proxy, SSLVerifyClient, Safari, and Guacamole issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So, I am s sending this to list for archive purposes. I ended up resolving the Safari issue by moving the SSLVerifyClient to the Location definition vs the virtualhost definition. After doing this, I added a Location definition for the api/tokens path to not require the client certificate validation. My end goal of keeping the overall application protected, I believe is achieved here, hopefully.

<Location /guacamole/>
  Order allow,deny
  Allow from all
  ProxyPass ajp://192.168.x.x:8009/guacamole/ flushpackets=on
  ProxyPassReverse ajp://192.168.x.x:8009/guacamole/
  SSLVerifyClient require
</Location>

<Location /guacamole/api/tokens>
  Order allow,deny
  Allow from all
  ProxyPass ajp://192.168.x.x:8009/guacamole/api/tokens flushpackets=on
  ProxyPassReverse ajp://192.168.x.x:8009/guacamole/api/tokens
</Location>

<Location /guacamole/websocket-tunnel>
  Order allow,deny
  Allow from all
  ProxyPass ws://192.168.x.x:8009/guacamole/websocket-tunnel
  ProxyPassReverse ws://192.168.x.x:8009/guacamole/websocket-tunnel
  SSLVerifyClient require
</Location>

Scott

On 2018-02-21 18:53, Scott Palmer wrote:

Good day,

I am using Apache HTTPd w/Mod_Proxy to proxy Apache Guacamole. The httpd side of things does a client side certificate validation. On Chrome and FF, everything works just fine, however on Safari, it does not. If I go direct to the Guacamole via Safari bypassing the mod_proxy, Safari works.

Using the developer tools in Safari, the /guacamole/api/tokes request is not getting the certificate "re-passed" by safari and apparently Chrome and FF handle this properly. Safari is important as the iPad uses Safari and FF/Chrome do not deal with client side certs loaded in the iOS keychain.

Below are what I believe are important details. I am hoping it is something simple I am missing and look forward to your ideas. I also believe this to be something that needs to be addressed on the mod_proxy side, and not guacamole.

Error from Safari's web console
-------------------------------
Failed to load resource: The server "https://xx.xx.xx"; [1] requires a client certificate. (when requesting the above path /guacamole/api/tokes)

NOTE: This happens after the initial prompt for my certificate. Also note, I have an instance of ZoneMinder proxied, along with my Synology NAS, and they function just fine under Safari.

HTTPd modules loaded for proxy:
-----------------------------
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so

My HTTPd vhost configuration:
-----------------------------
<VirtualHost *:443>
DocumentRoot "/web/MyRoot"
ServerName xx.xx.xx:443
SSLEngine on
SSLCertificateFile /etc/CA/certs/xx.xx.xx.crt
SSLCertificateKeyFile /etc/CA/private/xx.xx.xx.key
SSLCACertificateFile /etc/CA/certs/xxx.crt
SSLCARevocationFile /etc/CA/crl/xxx.crl
SSLCARevocationCheck chain
SSLVerifyClient require
SSLVerifyDepth 10
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

# Pre Apache 2.4
<Location />
SetEnv no-gzip
</Location>

<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass http://192.168.x.x:8080/guacamole/ [2] flushpackets=on
ProxyPassReverse http://192.168.x.x:8080/guacamole/ [2]
</Location>

<Location /guacamole/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://192.168.x.x:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://192.168.x.x:8080/guacamole/websocket-tunnel
</Location>

Thanks!
Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


Links:
------
[1] https://xx.xx.xx
[2] http://192.168.x.x:8080/guacamole/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux