----- Original Message ----- From: Niccolo' Manfrini To: users@xxxxxxxxxxxxxxxx Sent: Friday, April 22, 2005 12:08 PM Subject: Re: [users@httpd] SSL reverse proxy question Andrea Palmieri wrote: I'am using Apache as a reverse proxy to hide several backend servers which host several application https://myapache/name1/application_a -> http://ipserver1/application_a https://myapache/name1/application_b -> http://ipserver1/application_b https://myapache/name2/application_c -> http://ipserver2/application_c I'am using SSL client authentication with x509 certificates to authenticate users. I was wondering if I can use different CA certificate files (one for each back-end server) to authenticate users' client certificates. example users accessing application_a are authenticated using CertCA1 users accessing application_b are authenticated using CertCA1 users accessing application_c are authenticated using CertCA2 The SSLCACertificateFile directive is used to set CA certificate files, but it can't be used within a <Location> context ! Any suggestion or idea is really appreciated Andrea Maybe you can add to your dns service configuration three CNAME values that point to your reverse proxy server name. For example:application_a.mydomain.com, application_b.mydomain.com, application_c.mydomain.comshould resolve to: reverse_proxy.mydomain.comThen in append in your reverse proxy httpd.conf three VirtualHosts definitions:<VirtualHost *:443>ServerName application_a.mydomain.comSSLEngine onSSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA1.crtSSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.keyProxyPass / http://myinternal_server/application_a/ProxyPassReverse / http://myinternal_server/application_a/</VirtualHost><VirtualHost *:443>ServerName application_b.mydomain.comSSLEngine onSSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA2.crtSSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.keyProxyPass / http://myinternal_server/application_b/ProxyPassReverse / http://myinternal_server/application_b/</VirtualHost><VirtualHost *:443>ServerName application_c.mydomain.comSSLEngine onSSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA3.crtSSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.keyProxyPass / http://myinternal_server/application_c/ProxyPassReverse / http://myinternal_server/application_c/</VirtualHost>------------------------------------------ Niccolo' ManfriniProtechta - Information Security Tel. +39 0521 2021Fax. +39 0521 207461http://www.protechta.it/
I'am using Apache as a reverse proxy to hide several backend servers which host several application https://myapache/name1/application_a -> http://ipserver1/application_a https://myapache/name1/application_b -> http://ipserver1/application_b https://myapache/name2/application_c -> http://ipserver2/application_c I'am using SSL client authentication with x509 certificates to authenticate users. I was wondering if I can use different CA certificate files (one for each back-end server) to authenticate users' client certificates. example users accessing application_a are authenticated using CertCA1 users accessing application_b are authenticated using CertCA1 users accessing application_c are authenticated using CertCA2 The SSLCACertificateFile directive is used to set CA certificate files, but it can't be used within a <Location> context ! Any suggestion or idea is really appreciated Andrea
