Re: [users@httpd] SSL reverse proxy question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] SSL reverse proxy question
From: "Niccolo' Manfrini" <manfrini@xxxxxxxxxxxx>
Date: Fri, 22 Apr 2005 12:08:52 +0200
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxx
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxxxx
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
In-reply-to: <001201c5471b$de69c550$3f6514ac@andreap>
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
References: <001201c5471b$de69c550$3f6514ac@andreap>
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.2-1.3.2 (X11/20050324)

Andrea Palmieri wrote:

I'am using Apache as a reverse proxy to hide several backend servers which host several application

https://myapache/name1/application_a -> http://ipserver1/application_a

https://myapache/name1/application_b -> http://ipserver1/application_b

https://myapache/name2/application_c -> http://ipserver2/application_c

I'am using SSL client authentication with x509 certificates to authenticate users.

I was wondering if I can use different CA certificate files (one for each back-end server) to authenticate users' client certificates.

example

users accessing application_a are authenticated using CertCA1

users accessing application_b are authenticated using CertCA1

users accessing application_c are authenticated using CertCA2

The SSLCACertificateFile directive is used to set CA certificate files, but it can't be used within a <Location> context !

Any suggestion or idea is really appreciated

Andrea

Maybe you can add to your dns service configuration three CNAME values that point to your reverse proxy server name. For example:

application_a.mydomain.com, application_b.mydomain.com, application_c.mydomain.com
should resolve to: reverse_proxy.mydomain.com

Then in append in your reverse proxy httpd.conf three VirtualHosts definitions:

<VirtualHost *:443>
ServerName application_a.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA1.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_a/
ProxyPassReverse / http://myinternal_server/application_a/
</VirtualHost>

<VirtualHost *:443>
ServerName application_b.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA2.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_b/
ProxyPassReverse / http://myinternal_server/application_b/
</VirtualHost>

<VirtualHost *:443>
ServerName application_c.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA3.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_c/
ProxyPassReverse / http://myinternal_server/application_c/
</VirtualHost>

------------------------------------------
Niccolo' Manfrini
Protechta - Information Security
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/

Follow-Ups:
- Re: [users@httpd] SSL reverse proxy question
  - From: David Lang
- Re: [users@httpd] SSL reverse proxy question
  - From: Andrea Palmieri

References:
- [users@httpd] SSL reverse proxy question
  - From: Andrea Palmieri

Prev by Date: RE: [users@httpd] IPF porting of HTTP Server (2.0.53): Test related guidelines/info
Next by Date: Re: [users@httpd] SSL reverse proxy question
Previous by thread: [users@httpd] SSL reverse proxy question
Next by thread: Re: [users@httpd] SSL reverse proxy question
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]