Mod_Proxy, SSLVerifyClient, Safari, and Guacamole issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Good day,

I am using Apache HTTPd w/Mod_Proxy to proxy Apache Guacamole. The httpd side of things does a client side certificate validation. On Chrome and FF, everything works just fine, however on Safari, it does not. If I go direct to the Guacamole via Safari bypassing the mod_proxy, Safari works.

Using the developer tools in Safari, the /guacamole/api/tokes request is not getting the certificate "re-passed" by safari and apparently Chrome and FF handle this properly. Safari is important as the iPad uses Safari and FF/Chrome do not deal with client side certs loaded in the iOS keychain.

Below are what I believe are important details. I am hoping it is something simple I am missing and look forward to your ideas. I also believe this to be something that needs to be addressed on the mod_proxy side, and not guacamole.

Error from Safari's web console
-------------------------------
Failed to load resource: The server “https://xx.xx.xx”; requires a client certificate. (when requesting the above path /guacamole/api/tokes)

NOTE: This happens after the initial prompt for my certificate. Also note, I have an instance of ZoneMinder proxied, along with my Synology NAS, and they function just fine under Safari.

HTTPd modules loaded for proxy:
-----------------------------
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so

My HTTPd vhost configuration:
-----------------------------
<VirtualHost *:443>
DocumentRoot "/web/MyRoot"
ServerName xx.xx.xx:443
SSLEngine on
SSLCertificateFile /etc/CA/certs/xx.xx.xx.crt
SSLCertificateKeyFile /etc/CA/private/xx.xx.xx.key
SSLCACertificateFile /etc/CA/certs/xxx.crt
SSLCARevocationFile /etc/CA/crl/xxx.crl
SSLCARevocationCheck chain
SSLVerifyClient require
SSLVerifyDepth 10
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

# Pre Apache 2.4
<Location />
     SetEnv no-gzip
</Location>

<Location /guacamole/>
  Order allow,deny
  Allow from all
  ProxyPass http://192.168.x.x:8080/guacamole/ flushpackets=on
  ProxyPassReverse http://192.168.x.x:8080/guacamole/
</Location>

<Location /guacamole/websocket-tunnel>
  Order allow,deny
  Allow from all
  ProxyPass ws://192.168.x.x:8080/guacamole/websocket-tunnel
  ProxyPassReverse ws://192.168.x.x:8080/guacamole/websocket-tunnel
</Location>

Thanks!
Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux