Re: [users@httpd] SSL reverse proxy question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I didn't think you could use name-based virtual hosts with SSL since the server cert needs to match the hostname requested and the server won't see the request until after the SSL session is established (at least with SSL2/3) 

am I mistaken?

David Lang


On Fri, 22 Apr 2005, Niccolo' Manfrini wrote:


Andrea Palmieri wrote:
I'am using Apache as a reverse proxy to hide several backend servers which host several application https://myapache/name1/application_a <https://myapache/name1/application_a> -> http://ipserver1/application_a <http://ipserver1/application_a> https://myapache/name1/application_b <https://myapache/name1/application_b> -> http://ipserver1/application_b <http://ipserver1/application_b> https://myapache/name2/application_c <https://myapache/name2/application_c> -> http://ipserver2/application_c <http://ipserver2/application_c> I'am using SSL client authentication with x509 certificates to authenticate users. I was wondering if I can use different CA certificate files (one for each back-end server) to authenticate users' client certificates. 
example users accessing application_a are authenticated using CertCA1
users accessing application_b are authenticated using CertCA1
users accessing application_c are authenticated using CertCA2
The SSLCACertificateFile directive is used to set CA certificate files, but it can't be used within a <Location> context ! 
 Any suggestion or idea is really appreciated
Andrea
Maybe you can add to your dns service configuration three CNAME values that point to your reverse proxy server name. For example:
application_a.mydomain.com, application_b.mydomain.com, application_c.mydomain.com 
should resolve to: reverse_proxy.mydomain.com
Then in append in your reverse proxy httpd.conf three VirtualHosts definitions: 

<VirtualHost *:443>
ServerName application_a.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA1.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_a/
ProxyPassReverse / http://myinternal_server/application_a/
</VirtualHost>

<VirtualHost *:443>
ServerName application_b.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA2.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_b/
ProxyPassReverse / http://myinternal_server/application_b/
</VirtualHost>

<VirtualHost *:443>
ServerName application_c.mydomain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/CertCA3.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
ProxyPass / http://myinternal_server/application_c/
ProxyPassReverse / http://myinternal_server/application_c/
</VirtualHost>


------------------------------------------
Niccolo' Manfrini
Protechta - Information Security
Tel. +39 0521 2021
Fax. +39 0521 207461
http://www.protechta.it/







---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux